Analysis
-
max time kernel
138s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
08-05-2024 12:54
General
-
Target
b474a43ea56fc721cf27927b4915fc80_NEIKI.exe
-
Size
1.3MB
-
MD5
b474a43ea56fc721cf27927b4915fc80
-
SHA1
7bcaac40f65c0b6a779e7c7a433e5e3c573a71ca
-
SHA256
41b15bae142cbf857b319a0251055e6d085bf48c18d19acc7f272bea2a9d7b9a
-
SHA512
f57ccb09635bdc792342bb6a4089e8ec4d89b1f6cec6a69c07c0b95122f5d6604d94acbf73edd1c10c6ae6009f2b047286beae03afd0ebb02d27b1065370637c
-
SSDEEP
24576:zQ5aILMCfmAUjzX6gfU1pjwjbsXhmvZssrD+nRgnf4NvlOS5:E5aIwC+Agr6g81p1vsrNi5
Malware Config
Signatures
-
KPOT
KPOT is an information stealer that steals user data and account credentials.
-
KPOT Core Executable 1 IoCs
-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
-
Executes dropped EXE 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b474a43ea56fc721cf27927b4915fc80_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\b474a43ea56fc721cf27927b4915fc80_NEIKI.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WinSocket\b484a43ea67fc821cf28928b4916fc90_NFJLJ.exeC:\Users\Admin\AppData\Roaming\WinSocket\b484a43ea67fc821cf28928b4916fc90_NFJLJ.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\WinSocket\b484a43ea67fc821cf28928b4916fc90_NFJLJ.exeC:\Users\Admin\AppData\Roaming\WinSocket\b484a43ea67fc821cf28928b4916fc90_NFJLJ.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵
-
-
C:\Users\Admin\AppData\Roaming\WinSocket\b484a43ea67fc821cf28928b4916fc90_NFJLJ.exeC:\Users\Admin\AppData\Roaming\WinSocket\b484a43ea67fc821cf28928b4916fc90_NFJLJ.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5b474a43ea56fc721cf27927b4915fc80
SHA17bcaac40f65c0b6a779e7c7a433e5e3c573a71ca
SHA25641b15bae142cbf857b319a0251055e6d085bf48c18d19acc7f272bea2a9d7b9a
SHA512f57ccb09635bdc792342bb6a4089e8ec4d89b1f6cec6a69c07c0b95122f5d6604d94acbf73edd1c10c6ae6009f2b047286beae03afd0ebb02d27b1065370637c
-
Filesize
20KB
MD5849400c1d8d2c07b198ee910a9870320
SHA1731b9f4f95189a9cf6bd61044a4de4b4fd9d9f59
SHA256244f34d0ba99a2a7cfd483daa40ecd367a1e9faaa93e2b197d9fe66e0da0f250
SHA5121a366024663f5794079968e1ba52f136694f6f3d7d1a34bf942fcf7dfcba7658842b79f6c29004d81c605c3108311c945d8fd35b0c8d058ae0c5e61a34e1559e
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
28KB
-
Filesize
2.8MB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
28KB
-
Filesize
4KB
-
Filesize
760KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
164KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB