Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2024 07:14
Behavioral task
behavioral1
Sample
0415e5e2b23e6c152fdfa69700f4e800_NEIKI.exe
Resource
win7-20240221-en
General
-
Target
0415e5e2b23e6c152fdfa69700f4e800_NEIKI.exe
-
Size
1.3MB
-
MD5
0415e5e2b23e6c152fdfa69700f4e800
-
SHA1
d02ceb60693385ae19a49d734b3c2c532baa5cbb
-
SHA256
27ed27d7a830b6262b48318686efbcecd9f8176748b160c6d9b139c7f2b36891
-
SHA512
a2eb5ecad673ae8e485843a75e6b6140dd31277e13eaf35b99daa57930eabb07c1bdceb315f88f68fadf7a4646b40a67cebdf5c400aebb744e71d9f2034b0387
-
SSDEEP
24576:zQ5aILMCfmAUjzX677WOMc7qzz1IojVD0UOSQV:E5aIwC+Agr6twjVDQ
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\WinSocket\0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral2/memory/2732-16-0x00000000022C0000-0x00000000022E9000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
Processes:
0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exepid process 4684 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe 3524 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe 4040 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exedescription pid process Token: SeTcbPrivilege 3524 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe Token: SeTcbPrivilege 4040 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
0415e5e2b23e6c152fdfa69700f4e800_NEIKI.exe0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exepid process 2732 0415e5e2b23e6c152fdfa69700f4e800_NEIKI.exe 4684 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe 3524 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe 4040 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0415e5e2b23e6c152fdfa69700f4e800_NEIKI.exe0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exedescription pid process target process PID 2732 wrote to memory of 4684 2732 0415e5e2b23e6c152fdfa69700f4e800_NEIKI.exe 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe PID 2732 wrote to memory of 4684 2732 0415e5e2b23e6c152fdfa69700f4e800_NEIKI.exe 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe PID 2732 wrote to memory of 4684 2732 0415e5e2b23e6c152fdfa69700f4e800_NEIKI.exe 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe PID 4684 wrote to memory of 5004 4684 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 4684 wrote to memory of 5004 4684 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 4684 wrote to memory of 5004 4684 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 4684 wrote to memory of 5004 4684 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 4684 wrote to memory of 5004 4684 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 4684 wrote to memory of 5004 4684 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 4684 wrote to memory of 5004 4684 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 4684 wrote to memory of 5004 4684 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 4684 wrote to memory of 5004 4684 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 4684 wrote to memory of 5004 4684 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 4684 wrote to memory of 5004 4684 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 4684 wrote to memory of 5004 4684 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 4684 wrote to memory of 5004 4684 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 4684 wrote to memory of 5004 4684 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 4684 wrote to memory of 5004 4684 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 4684 wrote to memory of 5004 4684 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 4684 wrote to memory of 5004 4684 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 4684 wrote to memory of 5004 4684 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 4684 wrote to memory of 5004 4684 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 4684 wrote to memory of 5004 4684 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 4684 wrote to memory of 5004 4684 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 4684 wrote to memory of 5004 4684 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 4684 wrote to memory of 5004 4684 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 4684 wrote to memory of 5004 4684 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 4684 wrote to memory of 5004 4684 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 4684 wrote to memory of 5004 4684 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 3524 wrote to memory of 3444 3524 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 3524 wrote to memory of 3444 3524 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 3524 wrote to memory of 3444 3524 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 3524 wrote to memory of 3444 3524 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 3524 wrote to memory of 3444 3524 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 3524 wrote to memory of 3444 3524 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 3524 wrote to memory of 3444 3524 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 3524 wrote to memory of 3444 3524 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 3524 wrote to memory of 3444 3524 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 3524 wrote to memory of 3444 3524 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 3524 wrote to memory of 3444 3524 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 3524 wrote to memory of 3444 3524 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 3524 wrote to memory of 3444 3524 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 3524 wrote to memory of 3444 3524 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 3524 wrote to memory of 3444 3524 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 3524 wrote to memory of 3444 3524 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 3524 wrote to memory of 3444 3524 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 3524 wrote to memory of 3444 3524 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 3524 wrote to memory of 3444 3524 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 3524 wrote to memory of 3444 3524 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 3524 wrote to memory of 3444 3524 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 3524 wrote to memory of 3444 3524 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 3524 wrote to memory of 3444 3524 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 3524 wrote to memory of 3444 3524 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 3524 wrote to memory of 3444 3524 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 3524 wrote to memory of 3444 3524 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 4040 wrote to memory of 3584 4040 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 4040 wrote to memory of 3584 4040 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 4040 wrote to memory of 3584 4040 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 4040 wrote to memory of 3584 4040 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 4040 wrote to memory of 3584 4040 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 4040 wrote to memory of 3584 4040 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 4040 wrote to memory of 3584 4040 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 4040 wrote to memory of 3584 4040 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe PID 4040 wrote to memory of 3584 4040 0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0415e5e2b23e6c152fdfa69700f4e800_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\0415e5e2b23e6c152fdfa69700f4e800_NEIKI.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Roaming\WinSocket\0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exeC:\Users\Admin\AppData\Roaming\WinSocket\0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:5004
-
C:\Users\Admin\AppData\Roaming\WinSocket\0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exeC:\Users\Admin\AppData\Roaming\WinSocket\0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:3444
-
C:\Users\Admin\AppData\Roaming\WinSocket\0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exeC:\Users\Admin\AppData\Roaming\WinSocket\0416e6e2b23e7c162fdfa79800f4e900_NFJLJ.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:3584
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD50415e5e2b23e6c152fdfa69700f4e800
SHA1d02ceb60693385ae19a49d734b3c2c532baa5cbb
SHA25627ed27d7a830b6262b48318686efbcecd9f8176748b160c6d9b139c7f2b36891
SHA512a2eb5ecad673ae8e485843a75e6b6140dd31277e13eaf35b99daa57930eabb07c1bdceb315f88f68fadf7a4646b40a67cebdf5c400aebb744e71d9f2034b0387
-
Filesize
27KB
MD5752a24a6769adea5f468deb72e730a3e
SHA1b77bec9b8aa32c26003f8d515909139a3ddbf433
SHA256c025cb01593c213bdefd6ef6fa9fb3cbb7e0c4213fa37723c29f0d4f403da828
SHA512f73469b15e7bf1c96086e72f557027162e010e47c082c562deb57a256a32dc4cc3004529620aae85b3fce8bd5639838534b63ee90136931c4e68471f23e27b7d