Analysis
-
max time kernel
19s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2024 10:18
Static task
static1
Behavioral task
behavioral1
Sample
5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe
Resource
win10v2004-20240226-en
General
-
Target
5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe
-
Size
112KB
-
MD5
5f4cb188b5fdf35093d7cb198a2fe8a0
-
SHA1
e4d8f996f6541146d080abf185e10780f290a609
-
SHA256
628930f9b112760abb6afb3d84f4fe9007a222aeaaeae90130b377cd261dec8c
-
SHA512
9f2bfc85c54b104c52a2a10a9e719bd1239f443402a4f979751cb34f5f96b80ab4582998793c90311f06430677ac5067332944df771694b4175558e41f3297ab
-
SSDEEP
1536:t2ovIa47CqIf2f3w41p7sDcX7juR/JSJw8EeNshUDGXJ:tVIr7zI+fAceoGxSKKo5
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
Processes:
resource yara_rule behavioral2/memory/788-67-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral2/memory/788-65-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral2/memory/788-73-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe -
Executes dropped EXE 3 IoCs
Processes:
WAMain.exeWAMain.exeWAMain.exepid process 380 WAMain.exe 4304 WAMain.exe 788 WAMain.exe -
Processes:
resource yara_rule behavioral2/memory/716-9-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/716-13-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/716-17-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/788-61-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/788-67-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/788-65-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/788-63-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/716-69-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/788-73-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/4304-72-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows WA = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\WAMain.exe" reg.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exeWAMain.exedescription pid process target process PID 3076 set thread context of 4992 3076 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe svchost.exe PID 3076 set thread context of 716 3076 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe PID 380 set thread context of 1648 380 WAMain.exe svchost.exe PID 380 set thread context of 4304 380 WAMain.exe WAMain.exe PID 380 set thread context of 788 380 WAMain.exe WAMain.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
WAMain.exedescription pid process Token: SeDebugPrivilege 4304 WAMain.exe Token: SeDebugPrivilege 4304 WAMain.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exesvchost.exe5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exeWAMain.exesvchost.exeWAMain.exepid process 3076 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe 4992 svchost.exe 716 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe 380 WAMain.exe 1648 svchost.exe 4304 WAMain.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.execmd.exeWAMain.exedescription pid process target process PID 3076 wrote to memory of 4992 3076 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe svchost.exe PID 3076 wrote to memory of 4992 3076 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe svchost.exe PID 3076 wrote to memory of 4992 3076 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe svchost.exe PID 3076 wrote to memory of 4992 3076 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe svchost.exe PID 3076 wrote to memory of 4992 3076 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe svchost.exe PID 3076 wrote to memory of 4992 3076 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe svchost.exe PID 3076 wrote to memory of 4992 3076 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe svchost.exe PID 3076 wrote to memory of 4992 3076 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe svchost.exe PID 3076 wrote to memory of 4992 3076 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe svchost.exe PID 3076 wrote to memory of 716 3076 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe PID 3076 wrote to memory of 716 3076 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe PID 3076 wrote to memory of 716 3076 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe PID 3076 wrote to memory of 716 3076 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe PID 3076 wrote to memory of 716 3076 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe PID 3076 wrote to memory of 716 3076 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe PID 3076 wrote to memory of 716 3076 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe PID 3076 wrote to memory of 716 3076 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe PID 716 wrote to memory of 3920 716 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe cmd.exe PID 716 wrote to memory of 3920 716 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe cmd.exe PID 716 wrote to memory of 3920 716 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe cmd.exe PID 3920 wrote to memory of 2828 3920 cmd.exe reg.exe PID 3920 wrote to memory of 2828 3920 cmd.exe reg.exe PID 3920 wrote to memory of 2828 3920 cmd.exe reg.exe PID 716 wrote to memory of 380 716 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe WAMain.exe PID 716 wrote to memory of 380 716 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe WAMain.exe PID 716 wrote to memory of 380 716 5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe WAMain.exe PID 380 wrote to memory of 1648 380 WAMain.exe svchost.exe PID 380 wrote to memory of 1648 380 WAMain.exe svchost.exe PID 380 wrote to memory of 1648 380 WAMain.exe svchost.exe PID 380 wrote to memory of 1648 380 WAMain.exe svchost.exe PID 380 wrote to memory of 1648 380 WAMain.exe svchost.exe PID 380 wrote to memory of 1648 380 WAMain.exe svchost.exe PID 380 wrote to memory of 1648 380 WAMain.exe svchost.exe PID 380 wrote to memory of 1648 380 WAMain.exe svchost.exe PID 380 wrote to memory of 1648 380 WAMain.exe svchost.exe PID 380 wrote to memory of 4304 380 WAMain.exe WAMain.exe PID 380 wrote to memory of 4304 380 WAMain.exe WAMain.exe PID 380 wrote to memory of 4304 380 WAMain.exe WAMain.exe PID 380 wrote to memory of 4304 380 WAMain.exe WAMain.exe PID 380 wrote to memory of 4304 380 WAMain.exe WAMain.exe PID 380 wrote to memory of 4304 380 WAMain.exe WAMain.exe PID 380 wrote to memory of 4304 380 WAMain.exe WAMain.exe PID 380 wrote to memory of 4304 380 WAMain.exe WAMain.exe PID 380 wrote to memory of 788 380 WAMain.exe WAMain.exe PID 380 wrote to memory of 788 380 WAMain.exe WAMain.exe PID 380 wrote to memory of 788 380 WAMain.exe WAMain.exe PID 380 wrote to memory of 788 380 WAMain.exe WAMain.exe PID 380 wrote to memory of 788 380 WAMain.exe WAMain.exe PID 380 wrote to memory of 788 380 WAMain.exe WAMain.exe PID 380 wrote to memory of 788 380 WAMain.exe WAMain.exe PID 380 wrote to memory of 788 380 WAMain.exe WAMain.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\5f4cb188b5fdf35093d7cb198a2fe8a0_NEIKI.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AJAUV.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows WA" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe" /f4⤵
- Adds Run key to start application
PID:2828 -
C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"4⤵
- Suspicious use of SetWindowsHookEx
PID:1648 -
C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4304 -
C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"4⤵
- Executes dropped EXE
PID:788
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:81⤵PID:1164
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148B
MD53a4614705555abb049c3298e61170b7f
SHA1c8686410756f346d9551256a5b878b04770950ba
SHA256cff0663c8cfadf83b80583a871c313ffc5d950cb503809cb4a482f400c5d846b
SHA51265ce6fec00e6934f21635e7ccd74757f31ed4b0ddb52bd80d3ea9abeba56340128d23151ef7d9f5daacb5d61e4a4cca50dbb3a43132e350522311ee06e829007
-
Filesize
112KB
MD581c8b92050e3deb58644f1e5623f76d8
SHA16ae7d06ea97159ba0ff832bea7dfb073629da715
SHA2560d0a597b608d94532816860c9621276008758f3eb1e370e068b95f2f8d9cf629
SHA51255f420e5c8fe1354bc4169eb6150df57a9c56f798818ef40c65ad11c76a48675e36be89bdbb0615d91e8b3c6c821164e950b2c62f8f42e79d6364c21a996798f