Overview

overview

9

Static

static

3

36268a4d35...KI.exe

windows7-x64

9

36268a4d35...KI.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/05/2024, 08:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    36268a4d3575744fd79674c832173ae0_NEIKI.exe

  • Size

    136KB

  • MD5

    36268a4d3575744fd79674c832173ae0

  • SHA1

    6010734ad7d8ff3b12f7e8af8226c655f358dd58

  • SHA256

    06e444805e6a0a838d944903db7ae4a0f2a74f3776e820819e9783dcfe003048

  • SHA512

    8276ce096d9e29171a490c14929be04785065f050a68174b02f8059326bf7bfb2247e3d83a77903cfdd294cd1edf06b09aa5e70b8223285a535809b3fa81302a

  • SSDEEP

    768:lBTkCFBzd64CtUloJ/D4JcJpSC4dqPprTZTZ2YRv0obYhUYtZDx1AvduKkbeuKMi:d840UmJc+IMP8YRco0UqsuKMDm

Score
9/10
persistencespywarestealer

Malware Config

Signatures

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Discovers systems in the same network 1 TTPs 2 IoCs
    discovery
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Modifies registry class 3 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\36268a4d3575744fd79674c832173ae0_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\36268a4d3575744fd79674c832173ae0_NEIKI.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4756
    • C:\Windows\SysWOW64\regini.exe
      regini.exe C:\Users\Admin\AppData\Local\Temp\ppxxxx
      2⤵
      • Modifies system executable filetype association
      • Modifies registry class
      PID:1500
    • C:\Users\Admin\AppData\Local\Temp\conhost.exe
      C:\Users\Admin\AppData\Local\Temp\conhost.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious use of WriteProcessMemory
      PID:4232
      • C:\Windows\SysWOW64\regini.exe
        regini.exe C:\Users\Admin\AppData\Local\Temp\ppxxxx
        3⤵
        • Modifies registry class
        PID:1540
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\must.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5000
        • C:\Windows\SysWOW64\net.exe
          net user
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3136
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 user
            5⤵
              PID:3860
          • C:\Windows\SysWOW64\net.exe
            net localgroup administrators
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1972
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 localgroup administrators
              5⤵
                PID:2704
            • C:\Windows\SysWOW64\net.exe
              net start
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2136
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 start
                5⤵
                  PID:3900
              • C:\Windows\SysWOW64\NETSTAT.EXE
                netstat -ano
                4⤵
                • Gathers network information
                • Suspicious use of AdjustPrivilegeToken
                PID:4356
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist
                4⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:3252
              • C:\Windows\SysWOW64\ipconfig.exe
                ipconfig /all
                4⤵
                • Gathers network information
                PID:3524
              • C:\Windows\SysWOW64\ARP.EXE
                arp -a
                4⤵
                  PID:3168
                • C:\Windows\SysWOW64\systeminfo.exe
                  systeminfo
                  4⤵
                  • Gathers system information
                  PID:1628
                • C:\Windows\SysWOW64\net.exe
                  net use
                  4⤵
                    PID:1020
                  • C:\Windows\SysWOW64\net.exe
                    net view
                    4⤵
                    • Discovers systems in the same network
                    PID:3376
                  • C:\Windows\SysWOW64\net.exe
                    net view /domain
                    4⤵
                    • Discovers systems in the same network
                    PID:5024
                  • C:\Windows\SysWOW64\net.exe
                    net user /domain
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1448
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 user /domain
                      5⤵
                        PID:2228
                  • C:\Windows\SysWOW64\regini.exe
                    regini.exe C:\Users\Admin\AppData\Local\Temp\ppxxxx
                    3⤵
                      PID:3040

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\conhost.exe
                  Filesize

                  136KB

                  MD5

                  36268a4d3575744fd79674c832173ae0

                  SHA1

                  6010734ad7d8ff3b12f7e8af8226c655f358dd58

                  SHA256

                  06e444805e6a0a838d944903db7ae4a0f2a74f3776e820819e9783dcfe003048

                  SHA512

                  8276ce096d9e29171a490c14929be04785065f050a68174b02f8059326bf7bfb2247e3d83a77903cfdd294cd1edf06b09aa5e70b8223285a535809b3fa81302a

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\must.bat
                  Filesize

                  562B

                  MD5

                  def72a2e815d36d1b207e69c53a0dfb6

                  SHA1

                  08c091cafbc4627d3e1953adeed04a4c0791f755

                  SHA256

                  f71e998458a6ffbf157edd7c4d7bf5dcf2df92f769f459b1adb901e13d5d2a00

                  SHA512

                  7c5755b82d4320000cc84bc1fdb1fdff2c4244b0849ee4eebc0529a9757e73cd1b3878255571ad00f0855ffc82dac4d6d43dc28e0b32151d4a97a122b81ab9ce

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\ppxxxx
                  Filesize

                  70B

                  MD5

                  20eb0bd9744f943aff13206338fdfca8

                  SHA1

                  b2f64c9fddeee998f2c52b9685c87fdaeed768fe

                  SHA256

                  6efe03d7c079a715fa4b6bcd52332f08b1f89e840c10a220adfe7b8318626613

                  SHA512

                  b674ac8a06a11be27bfac4a12785d0b85b8bc42f70ac519df0150d940914135cdd42450103131ef276be7e27a7213a3d640dead3168cf2e6cef8ccf7e2ddbb64

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\ppxxxx
                  Filesize

                  135B

                  MD5

                  15e7eafedbdbb2788c5fde53e9d045e3

                  SHA1

                  b868931638b4b3ea9c44821e7ade2ffd3255ef2b

                  SHA256

                  4f1c84c3f30c5f8be30326254148b597568c0ce6ad45bd8fbddc6c9600505361

                  SHA512

                  e0f21948299de152d17f6f8fd49d01223d19ce605ba77b5896d200e58abfcf49241c949b38120e84aa329d5469ac69067466d81c5260db741cfdcbcf4f0c0423

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\winword4.doc
                  Filesize

                  16KB

                  MD5

                  4a8a59c1378a0b43b1b20a5ecf12d7cb

                  SHA1

                  60be33d7cdddefd4b7e661aeeb723dc8d0f3de73

                  SHA256

                  cca102e091c4a3786072886b8e3c1530f86edb670ed6e872af78b08b7a81c329

                  SHA512

                  0db870306c20b232d344c2304cda08e5ec4feaef1eb5b43b85a7dac865f6d9290a6a79231a2d20ddfe00712e3a918e481799b34c7226b308263d6bac135b80f6

                  Download Submit