Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08/05/2024, 12:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9d7796c142ca1c48e2634c39b3dbb200_NEIKI.exe
Resource
win7-20240221-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
9d7796c142ca1c48e2634c39b3dbb200_NEIKI.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
9d7796c142ca1c48e2634c39b3dbb200_NEIKI.exe
-
Size
70KB
-
MD5
9d7796c142ca1c48e2634c39b3dbb200
-
SHA1
139600095af0f83fb9bd6def96fd23b3783da7a9
-
SHA256
3d0db891ce4d6ace4be8ac16c94871a9a50eba3d81885933abddca0497a8419e
-
SHA512
305367e5b664bd8a87af9864cca6f31c8448f363bbeba433d227983196fedb18492ea3c060a4ac0a96dbd0ad1efede177b7ccb0b884e724dd07abd965af87e09
-
SSDEEP
1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Hw8xr:Olg35GTslA5t3/w8xr
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" kkabor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" kkabor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" kkabor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" kkabor.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{495A4B43-4b4f-5450-495A-4B434B4F5450} kkabor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{495A4B43-4b4f-5450-495A-4B434B4F5450}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" kkabor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{495A4B43-4b4f-5450-495A-4B434B4F5450}\IsInstalled = "1" kkabor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{495A4B43-4b4f-5450-495A-4B434B4F5450}\StubPath = "C:\\Windows\\system32\\afcoahoob-udoot.exe" kkabor.exe -
Sets file execution options in registry 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe kkabor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" kkabor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\encovec.exe" kkabor.exe -
Executes dropped EXE 2 IoCs
pid Process 2208 kkabor.exe 2540 kkabor.exe -
Loads dropped DLL 3 IoCs
pid Process 2192 9d7796c142ca1c48e2634c39b3dbb200_NEIKI.exe 2192 9d7796c142ca1c48e2634c39b3dbb200_NEIKI.exe 2208 kkabor.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" kkabor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" kkabor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" kkabor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" kkabor.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\amfoopoat.dll" kkabor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" kkabor.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} kkabor.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify kkabor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" kkabor.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\encovec.exe kkabor.exe File created C:\Windows\SysWOW64\encovec.exe kkabor.exe File opened for modification C:\Windows\SysWOW64\kkabor.exe kkabor.exe File opened for modification C:\Windows\SysWOW64\kkabor.exe 9d7796c142ca1c48e2634c39b3dbb200_NEIKI.exe File created C:\Windows\SysWOW64\kkabor.exe 9d7796c142ca1c48e2634c39b3dbb200_NEIKI.exe File opened for modification C:\Windows\SysWOW64\afcoahoob-udoot.exe kkabor.exe File created C:\Windows\SysWOW64\afcoahoob-udoot.exe kkabor.exe File opened for modification C:\Windows\SysWOW64\amfoopoat.dll kkabor.exe File created C:\Windows\SysWOW64\amfoopoat.dll kkabor.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2540 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe 2208 kkabor.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2192 9d7796c142ca1c48e2634c39b3dbb200_NEIKI.exe Token: SeDebugPrivilege 2208 kkabor.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2192 wrote to memory of 2208 2192 9d7796c142ca1c48e2634c39b3dbb200_NEIKI.exe 28 PID 2192 wrote to memory of 2208 2192 9d7796c142ca1c48e2634c39b3dbb200_NEIKI.exe 28 PID 2192 wrote to memory of 2208 2192 9d7796c142ca1c48e2634c39b3dbb200_NEIKI.exe 28 PID 2192 wrote to memory of 2208 2192 9d7796c142ca1c48e2634c39b3dbb200_NEIKI.exe 28 PID 2208 wrote to memory of 432 2208 kkabor.exe 5 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 2540 2208 kkabor.exe 29 PID 2208 wrote to memory of 2540 2208 kkabor.exe 29 PID 2208 wrote to memory of 2540 2208 kkabor.exe 29 PID 2208 wrote to memory of 2540 2208 kkabor.exe 29 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21 PID 2208 wrote to memory of 1232 2208 kkabor.exe 21
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1232
-
C:\Users\Admin\AppData\Local\Temp\9d7796c142ca1c48e2634c39b3dbb200_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\9d7796c142ca1c48e2634c39b3dbb200_NEIKI.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\kkabor.exe"C:\Windows\system32\kkabor.exe"3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\kkabor.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2540
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD545571f1082b96b78249aba10815f134d
SHA1ea7da59ddd3d569a2b9e58c4ea163fee226d7415
SHA256c70dc02932cd668b0f2ebbf3d92893162d576b48bf3d9f23e6fdd60e884dcc48
SHA5124367b247ae879691b0c2366cf2a76a87c06e1e595b148c540ba733eb0b15d40cb30d9595e05fc8addebcdbd033992be6d51f9e3f49323edb8d865547a0d49515
-
Filesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4
-
Filesize
73KB
MD531247ad80ac2c4ed1d9a5a34a6529cea
SHA150bbd5e93b3a87e7bac8f40013640faf55de4e48
SHA256af80896e9a5f2e256cd9fa8f6fd781b250e3bf6093820aa1291c39571b29f13d
SHA5126859d246707b3c64e0da67f11b4ef2f934218c632c8949fd35d4843ca4a7f1d8eb32b7c79750a0e964733e93ec742d29f77583c1a3c833fb5cf26108c06c7f96
-
Filesize
70KB
MD59d7796c142ca1c48e2634c39b3dbb200
SHA1139600095af0f83fb9bd6def96fd23b3783da7a9
SHA2563d0db891ce4d6ace4be8ac16c94871a9a50eba3d81885933abddca0497a8419e
SHA512305367e5b664bd8a87af9864cca6f31c8448f363bbeba433d227983196fedb18492ea3c060a4ac0a96dbd0ad1efede177b7ccb0b884e724dd07abd965af87e09