Overview

overview

10

Static

static

3

a811a3c1e7...KI.exe

windows7-x64

10

a811a3c1e7...KI.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    08-05-2024 12:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a811a3c1e769aa79d9493942c4976160_NEIKI.exe

  • Size

    1.6MB

  • MD5

    a811a3c1e769aa79d9493942c4976160

  • SHA1

    e972b66d9eaf4b26f61fcfe762ea03e3ee57f85b

  • SHA256

    9b0ec0360c57721dba7aa2cdae5cff0eec452c1879763afa0c74cc4aa7e747db

  • SHA512

    78ec5b29e403fd8e14b4f8a2f31548a17063e7a51dc0bff97986e5fa06eb29dd80f977e1460efa815926b21457bca97d88f62401166113f2feb558aa2a16563e

  • SSDEEP

    24576:PFOaskwW4oHIIH950ysEtbJ4gwMmaRaV7rzwYVtH0E8ma8jT+RRiQIWYH17tu6t2:trwCB9+YOaILVtH0E8maWGiQI3V7tNt2

Score
10/10
evasionpersistencevmprotect

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a811a3c1e769aa79d9493942c4976160_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\a811a3c1e769aa79d9493942c4976160_NEIKI.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1992
    • \??\c:\users\admin\appdata\local\temp\a811a3c1e769aa79d9493942c4976160_neiki.exe 
      c:\users\admin\appdata\local\temp\a811a3c1e769aa79d9493942c4976160_neiki.exe 
      2⤵
      • Executes dropped EXE
      PID:2320
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2448
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3032
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2140
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2796
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:2632
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:22 /f
              6⤵
              • Creates scheduled task(s)
              PID:2684
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:23 /f
              6⤵
              • Creates scheduled task(s)
              PID:2736
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:24 /f
              6⤵
              • Creates scheduled task(s)
              PID:2100
        • C:\Windows\Explorer.exe
          C:\Windows\Explorer.exe
          4⤵
            PID:2532

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Resources\Themes\explorer.exe
      Filesize

      135KB

      MD5

      e477b04f9fe2863ca9b2da307ab8a30c

      SHA1

      929e7adf312d25f4bf3754ce0efd93dc022b7de3

      SHA256

      e54d59a8ecb6d3416c282905bb97d738a1162f2d497a19c47561763495322073

      SHA512

      2d803fbf325dee1d782bbd77a0f74cbcb00a6a54ecd064e6f8bb79b63e427494ffff2cd69aa3c8df8b25c8f571b1deb0a1c05d40be2f9c7e46b66bb36808e01a

      Download Submit

    • \Users\Admin\AppData\Local\Temp\a811a3c1e769aa79d9493942c4976160_neiki.exe 
      Filesize

      1.5MB

      MD5

      b2df0057569ffe9c42fa88e639ac7046

      SHA1

      1798be8ca6f11c08b982f60e42d1c632f0631077

      SHA256

      eb507ee4b4b347daa400c41408146a2ffc0503496e500b8177dd1a9e877d7924

      SHA512

      1ef703191775e6f32790664ea34b80e09125750a5906c4097a5cb478ebe56cb9b4ebf3b64b5249ea6c4afb1fc158380340cab7c76c2489e724804906278e0233

      Download Submit

    • \Windows\Resources\Themes\icsys.icn.exe
      Filesize

      135KB

      MD5

      6477f6d1cd07c56e8f29ba684e030ae5

      SHA1

      880ffe02c380bb2951f88b30a928be7a87587146

      SHA256

      72de6d92b4697384847573945625a3be3183bbec6d413ce38779f48ea8a1a685

      SHA512

      0aa55d6f76fc87f0e744a8143f7340b45f446f1e946e24a6ad03665966d8cc5076eaac3e3cbf92d3af3b056642d8e2627a64cb21c40de9154a85d405380d708f

      Download Submit

    • \Windows\Resources\spoolsv.exe
      Filesize

      135KB

      MD5

      993b2c016c259d2b099ecfe215dc49a6

      SHA1

      c9b298d0efa03288a2b05c669006e66ed93194a6

      SHA256

      1f2065bfd4370f0e7fa6f6b75ffaeaa5a346ce8dac46d19f381d557b16c7a51b

      SHA512

      96b9aef4b860a98211de1060aa39fb88022f4338c8845e615522e79f172671610c8a5249e9539fee9506d7f1944592196a3fb1e8388abcc0c17f4d896ae6089f

      Download Submit

    • \Windows\Resources\svchost.exe
      Filesize

      135KB

      MD5

      6ed7df85a137d805951c5ab1c53b7715

      SHA1

      f429f69007ad6819a5b2fe7cb4cbd791a45dbec5

      SHA256

      36e866e9c3f38e7b5a19c6b94b0c4c0083c9399614e18ad43d4a02e5a8b78d04

      SHA512

      736cb8459a6767bfbfd266100db08c911d166048ee77fba3dcedf04190e8c74886ec983b99f799d9deb7da96d72457ba98ccd13e96b8554a634ada45e0f5d707

      Download Submit

    • memory/1992-0-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1992-53-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download