Analysis
-
max time kernel
135s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
08-05-2024 08:30
Behavioral task
behavioral1
Sample
2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe
Resource
win7-20240419-en
General
-
Target
2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe
-
Size
1.3MB
-
MD5
2bc2d4e2cf1706542b76460e36d968b0
-
SHA1
ecd2a5f2fc75165918dd3d6d4783e3dbeaae3da9
-
SHA256
fb5a0ecb62aa6fbf3ee2a2044860b7c30dc00654dd75da35e48c19de35313a76
-
SHA512
d90ad63051f8b2cd43362056d598a7d38795c5d67be4542808cb0413a52abd6a9f60920cc8839543021fe5a31437bd3f3d57ba2e960a846ce686582cc1993fb3
-
SSDEEP
24576:zQ5aILMCfmAUjzX6gfU1pjwjbsXhmvZssrD+nRgnf4NvlOSBRGh+i:E5aIwC+Agr6g81p1vsrNiK7
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral1/memory/2176-15-0x0000000000610000-0x0000000000639000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
Processes:
2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exepid process 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe 2172 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe 1992 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe -
Loads dropped DLL 2 IoCs
Processes:
2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exepid process 2176 2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe 2176 2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 2524 sc.exe 2580 sc.exe 2504 sc.exe 2952 sc.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exepowershell.exepowershell.exepid process 2176 2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe 2176 2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe 2176 2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe 3024 powershell.exe 2560 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exe2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exedescription pid process Token: SeDebugPrivilege 3024 powershell.exe Token: SeDebugPrivilege 2560 powershell.exe Token: SeTcbPrivilege 2172 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe Token: SeTcbPrivilege 1992 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exepid process 2176 2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe 2172 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe 1992 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.execmd.execmd.exedescription pid process target process PID 2176 wrote to memory of 2108 2176 2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe cmd.exe PID 2176 wrote to memory of 2108 2176 2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe cmd.exe PID 2176 wrote to memory of 2108 2176 2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe cmd.exe PID 2176 wrote to memory of 2108 2176 2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe cmd.exe PID 2176 wrote to memory of 1720 2176 2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe cmd.exe PID 2176 wrote to memory of 1720 2176 2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe cmd.exe PID 2176 wrote to memory of 1720 2176 2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe cmd.exe PID 2176 wrote to memory of 1720 2176 2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe cmd.exe PID 2176 wrote to memory of 2928 2176 2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe cmd.exe PID 2176 wrote to memory of 2928 2176 2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe cmd.exe PID 2176 wrote to memory of 2928 2176 2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe cmd.exe PID 2176 wrote to memory of 2928 2176 2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe cmd.exe PID 2176 wrote to memory of 1680 2176 2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe PID 2176 wrote to memory of 1680 2176 2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe PID 2176 wrote to memory of 1680 2176 2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe PID 2176 wrote to memory of 1680 2176 2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe PID 1680 wrote to memory of 2852 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe cmd.exe PID 1680 wrote to memory of 2852 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe cmd.exe PID 1680 wrote to memory of 2852 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe cmd.exe PID 1680 wrote to memory of 2852 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe cmd.exe PID 1680 wrote to memory of 2624 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe cmd.exe PID 1680 wrote to memory of 2624 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe cmd.exe PID 1680 wrote to memory of 2624 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe cmd.exe PID 1680 wrote to memory of 2624 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe cmd.exe PID 1680 wrote to memory of 2828 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe cmd.exe PID 1680 wrote to memory of 2828 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe cmd.exe PID 1680 wrote to memory of 2828 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe cmd.exe PID 1680 wrote to memory of 2828 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe cmd.exe PID 1680 wrote to memory of 2676 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe svchost.exe PID 1680 wrote to memory of 2676 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe svchost.exe PID 1680 wrote to memory of 2676 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe svchost.exe PID 1680 wrote to memory of 2676 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe svchost.exe PID 1680 wrote to memory of 2676 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe svchost.exe PID 1680 wrote to memory of 2676 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe svchost.exe PID 1680 wrote to memory of 2676 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe svchost.exe PID 1680 wrote to memory of 2676 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe svchost.exe PID 1680 wrote to memory of 2676 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe svchost.exe PID 1680 wrote to memory of 2676 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe svchost.exe PID 1680 wrote to memory of 2676 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe svchost.exe PID 1680 wrote to memory of 2676 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe svchost.exe PID 1680 wrote to memory of 2676 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe svchost.exe PID 1680 wrote to memory of 2676 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe svchost.exe PID 1680 wrote to memory of 2676 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe svchost.exe PID 1680 wrote to memory of 2676 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe svchost.exe PID 1680 wrote to memory of 2676 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe svchost.exe PID 1680 wrote to memory of 2676 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe svchost.exe PID 1680 wrote to memory of 2676 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe svchost.exe PID 1680 wrote to memory of 2676 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe svchost.exe PID 1680 wrote to memory of 2676 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe svchost.exe PID 1680 wrote to memory of 2676 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe svchost.exe PID 1680 wrote to memory of 2676 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe svchost.exe PID 1680 wrote to memory of 2676 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe svchost.exe PID 1680 wrote to memory of 2676 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe svchost.exe PID 1680 wrote to memory of 2676 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe svchost.exe PID 1680 wrote to memory of 2676 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe svchost.exe PID 1680 wrote to memory of 2676 1680 2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe svchost.exe PID 2108 wrote to memory of 2504 2108 cmd.exe sc.exe PID 2108 wrote to memory of 2504 2108 cmd.exe sc.exe PID 2108 wrote to memory of 2504 2108 cmd.exe sc.exe PID 2108 wrote to memory of 2504 2108 cmd.exe sc.exe PID 2852 wrote to memory of 2524 2852 cmd.exe sc.exe PID 2852 wrote to memory of 2524 2852 cmd.exe sc.exe PID 2852 wrote to memory of 2524 2852 cmd.exe sc.exe PID 2852 wrote to memory of 2524 2852 cmd.exe sc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\2bc2d4e2cf1706542b76460e36d968b0_NEIKI.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend2⤵
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\sc.exesc stop WinDefend3⤵
- Launches sc.exe
PID:2504 -
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend2⤵PID:1720
-
C:\Windows\SysWOW64\sc.exesc delete WinDefend3⤵
- Launches sc.exe
PID:2952 -
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2928
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2560 -
C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exeC:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend3⤵
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\sc.exesc stop WinDefend4⤵
- Launches sc.exe
PID:2524 -
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend3⤵PID:2624
-
C:\Windows\SysWOW64\sc.exesc delete WinDefend4⤵
- Launches sc.exe
PID:2580 -
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵PID:2828
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2676
-
C:\Windows\system32\taskeng.exetaskeng.exe {C3BEEBB7-2AAA-4CA7-8B09-7B7201A3A47B} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:2308
-
C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exeC:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2172 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:1636
-
C:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exeC:\Users\Admin\AppData\Roaming\WinSocket\2bc2d4e2cf1807642b87470e37d979b0_NFJLJ.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1992 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2848
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD52581f4a00d0a6675dbee3ecd116e9c26
SHA1582011e39a98013c7816a89cb1923b47713fdfce
SHA2568c77b99cf88e59675bb42795abfd901dec79acea2dbeba50a1113d99c8719b69
SHA5120d752a4653f5f0592b275b955fe6922f16167bddce20b1383f659c3428c165c107cd639b68a03830b2da0359c1d0ce2ea1260f8416e9c02babd189de03c4802e
-
Filesize
1.3MB
MD52bc2d4e2cf1706542b76460e36d968b0
SHA1ecd2a5f2fc75165918dd3d6d4783e3dbeaae3da9
SHA256fb5a0ecb62aa6fbf3ee2a2044860b7c30dc00654dd75da35e48c19de35313a76
SHA512d90ad63051f8b2cd43362056d598a7d38795c5d67be4542808cb0413a52abd6a9f60920cc8839543021fe5a31437bd3f3d57ba2e960a846ce686582cc1993fb3