Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2024 06:17
Static task
static1
Behavioral task
behavioral1
Sample
f39cdd0a44629f41e757d113a9c12a80_NEIKI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f39cdd0a44629f41e757d113a9c12a80_NEIKI.exe
Resource
win10v2004-20240419-en
General
-
Target
f39cdd0a44629f41e757d113a9c12a80_NEIKI.exe
-
Size
70KB
-
MD5
f39cdd0a44629f41e757d113a9c12a80
-
SHA1
995a8a36055cda4cddc371ce7f45cb28db2db92c
-
SHA256
432e813152f849e923b8d914f09459fc40129f59b5a7d4406f1a230a2b307eff
-
SHA512
e8f1ce8c9d3bd1cd509bac4e2637cd392c974ad4e766152db2a6ee4e72c65a09cfc3a75100f3ea22cde1b319e21b4b8a5c7345ecb5c9b5ca9fd20676b6f6e0d6
-
SSDEEP
1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Hw8slf:Olg35GTslA5t3/w82
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" bkicim.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" bkicim.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" bkicim.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" bkicim.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C464B54-444a-474c-4C46-4B54444A474c} bkicim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C464B54-444a-474c-4C46-4B54444A474c}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" bkicim.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C464B54-444a-474c-4C46-4B54444A474c}\IsInstalled = "1" bkicim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C464B54-444a-474c-4C46-4B54444A474c}\StubPath = "C:\\Windows\\system32\\pmoaxeah-med.exe" bkicim.exe -
Sets file execution options in registry 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe bkicim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" bkicim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\sboceam.exe" bkicim.exe -
Executes dropped EXE 2 IoCs
pid Process 2728 bkicim.exe 2388 bkicim.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" bkicim.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" bkicim.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" bkicim.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" bkicim.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} bkicim.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify bkicim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" bkicim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\eggicek-eacooc.dll" bkicim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" bkicim.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\pmoaxeah-med.exe bkicim.exe File opened for modification C:\Windows\SysWOW64\eggicek-eacooc.dll bkicim.exe File created C:\Windows\SysWOW64\eggicek-eacooc.dll bkicim.exe File created C:\Windows\SysWOW64\sboceam.exe bkicim.exe File opened for modification C:\Windows\SysWOW64\pmoaxeah-med.exe bkicim.exe File opened for modification C:\Windows\SysWOW64\sboceam.exe bkicim.exe File opened for modification C:\Windows\SysWOW64\bkicim.exe bkicim.exe File opened for modification C:\Windows\SysWOW64\bkicim.exe f39cdd0a44629f41e757d113a9c12a80_NEIKI.exe File created C:\Windows\SysWOW64\bkicim.exe f39cdd0a44629f41e757d113a9c12a80_NEIKI.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2388 bkicim.exe 2388 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe 2728 bkicim.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3708 f39cdd0a44629f41e757d113a9c12a80_NEIKI.exe Token: SeDebugPrivilege 2728 bkicim.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3708 wrote to memory of 2728 3708 f39cdd0a44629f41e757d113a9c12a80_NEIKI.exe 83 PID 3708 wrote to memory of 2728 3708 f39cdd0a44629f41e757d113a9c12a80_NEIKI.exe 83 PID 3708 wrote to memory of 2728 3708 f39cdd0a44629f41e757d113a9c12a80_NEIKI.exe 83 PID 2728 wrote to memory of 624 2728 bkicim.exe 5 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 2388 2728 bkicim.exe 84 PID 2728 wrote to memory of 2388 2728 bkicim.exe 84 PID 2728 wrote to memory of 2388 2728 bkicim.exe 84 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56 PID 2728 wrote to memory of 3432 2728 bkicim.exe 56
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:624
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3432
-
C:\Users\Admin\AppData\Local\Temp\f39cdd0a44629f41e757d113a9c12a80_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\f39cdd0a44629f41e757d113a9c12a80_NEIKI.exe"2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\bkicim.exe"C:\Windows\system32\bkicim.exe"3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\bkicim.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2388
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD5f39cdd0a44629f41e757d113a9c12a80
SHA1995a8a36055cda4cddc371ce7f45cb28db2db92c
SHA256432e813152f849e923b8d914f09459fc40129f59b5a7d4406f1a230a2b307eff
SHA512e8f1ce8c9d3bd1cd509bac4e2637cd392c974ad4e766152db2a6ee4e72c65a09cfc3a75100f3ea22cde1b319e21b4b8a5c7345ecb5c9b5ca9fd20676b6f6e0d6
-
Filesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4
-
Filesize
73KB
MD5e1b87eabe5a902d31822f570f03dc2c7
SHA1636c1be74efac479a9d1c6782b46f2784ed7d8fd
SHA25647412b6caca1a5339dc432181aa57b51d283cdf17633dda071246da695d07bfc
SHA512d5e54582b2c95ebcd038d33db46b1838719c5661071c3de254c6a747283bd55bbd64b391f6d251934b0d521b23fbb0b9e982af447f29b973b086ebdf4294c363
-
Filesize
74KB
MD5139ea8b57f59d9fd08a569c555d54f51
SHA14c298f37547dc4be2d2e5833698290577906a72a
SHA256f519bc1b30f31698824f883a0e34e924308383c62f2897a784881c4bedc47cd0
SHA512991915b025c6b557b36a1ec5ef1790ac2e15e28299510aaa4d2f866847c8c3e9151bc4b8659b8e74e2a16d0955dc2dce41acea96db73632a21896edb53aa8eea