bbbebdc999110afdde6d2bfdaf9f679db63119c4741ab8dc9c55780978d6c862

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
08/05/2024, 11:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

76ee224909a1112297793d893b6c34c0_NEIKI.exe
Size

144KB
MD5

76ee224909a1112297793d893b6c34c0
SHA1

46d3bdedd2d04d48198d6dfa72d68392e4bd6d36
SHA256

bbbebdc999110afdde6d2bfdaf9f679db63119c4741ab8dc9c55780978d6c862
SHA512

d7c28153e063a6d2d747597a979fee664d2f92fee28d0ebbb78a006e9b5f199f70f28ea78d09218304ad872bbb6cbaf147f2d057a57c714a3f3b454e9b5fa3c8
SSDEEP

3072:l5SVkkgUgXC7AdYzrV+Dljy/32ubwZ/qJ:SUFCkdYzrVolu/J0Z/

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2732	WindowsService.exe
2736	WindowsService.exe
324	WindowsService.exe

Loads dropped DLL 5 IoCs

pid	Process
2012	76ee224909a1112297793d893b6c34c0_NEIKI.exe
2012	76ee224909a1112297793d893b6c34c0_NEIKI.exe
2012	76ee224909a1112297793d893b6c34c0_NEIKI.exe
2012	76ee224909a1112297793d893b6c34c0_NEIKI.exe
2012	76ee224909a1112297793d893b6c34c0_NEIKI.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2012-440-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2012-445-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2736-1031-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2012-1034-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2736-1039-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\sidebar = "C:\\Users\\Admin\\AppData\\Roaming\\SystemWindows\\WindowsService.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1072 set thread context of 2012	1072	76ee224909a1112297793d893b6c34c0_NEIKI.exe	28
PID 2732 set thread context of 2736	2732	WindowsService.exe	33
PID 2732 set thread context of 324	2732	WindowsService.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe
Token: SeDebugPrivilege	2736	WindowsService.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1072	76ee224909a1112297793d893b6c34c0_NEIKI.exe
2012	76ee224909a1112297793d893b6c34c0_NEIKI.exe
2732	WindowsService.exe
2736	WindowsService.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 2012	1072	76ee224909a1112297793d893b6c34c0_NEIKI.exe	28
PID 1072 wrote to memory of 2012	1072	76ee224909a1112297793d893b6c34c0_NEIKI.exe	28
PID 1072 wrote to memory of 2012	1072	76ee224909a1112297793d893b6c34c0_NEIKI.exe	28
PID 1072 wrote to memory of 2012	1072	76ee224909a1112297793d893b6c34c0_NEIKI.exe	28
PID 1072 wrote to memory of 2012	1072	76ee224909a1112297793d893b6c34c0_NEIKI.exe	28
PID 1072 wrote to memory of 2012	1072	76ee224909a1112297793d893b6c34c0_NEIKI.exe	28
PID 1072 wrote to memory of 2012	1072	76ee224909a1112297793d893b6c34c0_NEIKI.exe	28
PID 1072 wrote to memory of 2012	1072	76ee224909a1112297793d893b6c34c0_NEIKI.exe	28
PID 2012 wrote to memory of 2756	2012	76ee224909a1112297793d893b6c34c0_NEIKI.exe	29
PID 2012 wrote to memory of 2756	2012	76ee224909a1112297793d893b6c34c0_NEIKI.exe	29
PID 2012 wrote to memory of 2756	2012	76ee224909a1112297793d893b6c34c0_NEIKI.exe	29
PID 2012 wrote to memory of 2756	2012	76ee224909a1112297793d893b6c34c0_NEIKI.exe	29
PID 2756 wrote to memory of 2832	2756	cmd.exe	31
PID 2756 wrote to memory of 2832	2756	cmd.exe	31
PID 2756 wrote to memory of 2832	2756	cmd.exe	31
PID 2756 wrote to memory of 2832	2756	cmd.exe	31
PID 2012 wrote to memory of 2732	2012	76ee224909a1112297793d893b6c34c0_NEIKI.exe	32
PID 2012 wrote to memory of 2732	2012	76ee224909a1112297793d893b6c34c0_NEIKI.exe	32
PID 2012 wrote to memory of 2732	2012	76ee224909a1112297793d893b6c34c0_NEIKI.exe	32
PID 2012 wrote to memory of 2732	2012	76ee224909a1112297793d893b6c34c0_NEIKI.exe	32
PID 2732 wrote to memory of 2736	2732	WindowsService.exe	33
PID 2732 wrote to memory of 2736	2732	WindowsService.exe	33
PID 2732 wrote to memory of 2736	2732	WindowsService.exe	33
PID 2732 wrote to memory of 2736	2732	WindowsService.exe	33
PID 2732 wrote to memory of 2736	2732	WindowsService.exe	33
PID 2732 wrote to memory of 2736	2732	WindowsService.exe	33
PID 2732 wrote to memory of 2736	2732	WindowsService.exe	33
PID 2732 wrote to memory of 2736	2732	WindowsService.exe	33
PID 2732 wrote to memory of 324	2732	WindowsService.exe	34
PID 2732 wrote to memory of 324	2732	WindowsService.exe	34
PID 2732 wrote to memory of 324	2732	WindowsService.exe	34
PID 2732 wrote to memory of 324	2732	WindowsService.exe	34
PID 2732 wrote to memory of 324	2732	WindowsService.exe	34
PID 2732 wrote to memory of 324	2732	WindowsService.exe	34
PID 2732 wrote to memory of 324	2732	WindowsService.exe	34
PID 2732 wrote to memory of 324	2732	WindowsService.exe	34
PID 2732 wrote to memory of 324	2732	WindowsService.exe	34
PID 2732 wrote to memory of 324	2732	WindowsService.exe	34
PID 2732 wrote to memory of 324	2732	WindowsService.exe	34
PID 2732 wrote to memory of 324	2732	WindowsService.exe	34
PID 2732 wrote to memory of 324	2732	WindowsService.exe	34

C:\Users\Admin\AppData\Local\Temp\76ee224909a1112297793d893b6c34c0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\76ee224909a1112297793d893b6c34c0_NEIKI.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Users\Admin\AppData\Local\Temp\76ee224909a1112297793d893b6c34c0_NEIKI.exe
  "C:\Users\Admin\AppData\Local\Temp\76ee224909a1112297793d893b6c34c0_NEIKI.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\DIXYV.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe" /f
      4⤵
      Adds Run key to start application
      PID:2832
- - C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
    "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
      "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2736
  - - C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
      "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
      4⤵
      Executes dropped EXE
      PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DIXYV.bat

Filesize
157B

MD5
f6a90c20834f271a907a4e2bc28184c2

SHA1
36c9d1602b74f622346fbb22693597d7889df48d

SHA256
73f29cd953eee40cea4de67842556ffd96efe8094a6a9b70f33a35df2582febd

SHA512
39cabae19fe1faa37455e4bd242c868be60d6252b07f01224b3f7501c3cf734e503300b840d83381a452707cab6df2f95f920655884be56d4024676b26943804

Download Submit
\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe

Filesize
144KB

MD5
ec83df6e85c108358c0a6f473f7af68a

SHA1
7c69073970d4953a890900a1e928b56bef71c312

SHA256
7dff98d92954fd04943994e6b7ced5ace170e4405d53501b608726ff29ffb76c

SHA512
909018da1288d86d06f7f65a6e56dd5be30c6da208e3de0bf6021496d0103d3e5391d6b063b3d19a4b805bc816bf9a349ca8673c7293438c961fb8ad5432c808

Download Submit
memory/1072-2-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2012-440-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2012-445-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2012-1034-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2736-1031-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2736-1039-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads