Analysis
-
max time kernel
2s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
08-05-2024 10:18
Static task
static1
Behavioral task
behavioral1
Sample
5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe
Resource
win10v2004-20240226-en
General
-
Target
5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe
-
Size
112KB
-
MD5
5f4cb188b5fdf35093d7cb198a2fe8a0
-
SHA1
e4d8f996f6541146d080abf185e10780f290a609
-
SHA256
628930f9b112760abb6afb3d84f4fe9007a222aeaaeae90130b377cd261dec8c
-
SHA512
9f2bfc85c54b104c52a2a10a9e719bd1239f443402a4f979751cb34f5f96b80ab4582998793c90311f06430677ac5067332944df771694b4175558e41f3297ab
-
SSDEEP
1536:t2ovIa47CqIf2f3w41p7sDcX7juR/JSJw8EeNshUDGXJ:tVIr7zI+fAceoGxSKKo5
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2440-286-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral1/memory/2440-303-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 -
Processes:
resource yara_rule behavioral1/memory/3004-117-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/3004-129-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2440-286-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral1/memory/3004-282-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2440-303-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral1/memory/2292-302-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Suspicious use of SetThreadContext 2 IoCs
Processes:
5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exedescription pid process target process PID 2888 set thread context of 2576 2888 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe svchost.exe PID 2888 set thread context of 3004 2888 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe 2576 svchost.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exesvchost.exe5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exepid process 2888 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe 2576 svchost.exe 3004 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exedescription pid process target process PID 2888 wrote to memory of 2576 2888 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe svchost.exe PID 2888 wrote to memory of 2576 2888 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe svchost.exe PID 2888 wrote to memory of 2576 2888 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe svchost.exe PID 2888 wrote to memory of 2576 2888 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe svchost.exe PID 2888 wrote to memory of 2576 2888 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe svchost.exe PID 2888 wrote to memory of 2576 2888 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe svchost.exe PID 2888 wrote to memory of 2576 2888 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe svchost.exe PID 2888 wrote to memory of 2576 2888 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe svchost.exe PID 2888 wrote to memory of 2576 2888 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe svchost.exe PID 2888 wrote to memory of 2576 2888 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe svchost.exe PID 2888 wrote to memory of 3004 2888 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe PID 2888 wrote to memory of 3004 2888 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe PID 2888 wrote to memory of 3004 2888 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe PID 2888 wrote to memory of 3004 2888 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe PID 2888 wrote to memory of 3004 2888 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe PID 2888 wrote to memory of 3004 2888 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe PID 2888 wrote to memory of 3004 2888 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe PID 2888 wrote to memory of 3004 2888 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:3004 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RWHFJ.bat" "3⤵PID:2416
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows WA" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe" /f4⤵PID:2340
-
C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"3⤵PID:1964
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"4⤵PID:1248
-
C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"4⤵PID:2292
-
C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"4⤵PID:2440
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148B
MD53a4614705555abb049c3298e61170b7f
SHA1c8686410756f346d9551256a5b878b04770950ba
SHA256cff0663c8cfadf83b80583a871c313ffc5d950cb503809cb4a482f400c5d846b
SHA51265ce6fec00e6934f21635e7ccd74757f31ed4b0ddb52bd80d3ea9abeba56340128d23151ef7d9f5daacb5d61e4a4cca50dbb3a43132e350522311ee06e829007
-
Filesize
112KB
MD5ca53e9fd572d4fa19e0fa7f85d312022
SHA13f2bccda51163c77905f2431bfbc6154c534be0d
SHA25637c7f9ec6c42947cebe4c35839e66e6162035cd8b528f1253d334bf60c2b2eda
SHA512475e94a98d0e71acdfd2b5b22982500ac39078c8b8580cc7928e24ca6fca9e7100b1a96b5e921f445367f576df2b7b26dbf03b7775c17fa15902976d7ac4bfb0