4134d19ef2f1215d19ac969e2513c7d7b0c88b2aa2592db7c2a30b6437fe534b

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfec0991994ff13915dc0fa56d435a60_NEIKI.exe
Size

24KB
MD5

bfec0991994ff13915dc0fa56d435a60
SHA1

da85c30d13d23e8ede69bffab3137a480cc26fc7
SHA256

4134d19ef2f1215d19ac969e2513c7d7b0c88b2aa2592db7c2a30b6437fe534b
SHA512

39105b3cb20425b3c3b67abeba7df2e38d23ef99e0796e759cb80ea85c860bff19c1ce2916790890466cfb1b731087ca0958b6cba56d1d4cc773c23d1a4b0891
SSDEEP

384:aGpN5/SfmVoonJWpSu+Ip7JLyaBOEj63eVi06MCL3VHWZz:fhZSoEpnp7JLyWWElhCBMz

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	bfec0991994ff13915dc0fa56d435a60_NEIKI.exe

Executes dropped EXE 1 IoCs

pid	Process
3080	hhcbrnaff.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1284-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/files/0x0007000000023278-13.dat	upx
behavioral2/memory/3080-16-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 3080	1284	bfec0991994ff13915dc0fa56d435a60_NEIKI.exe	80
PID 1284 wrote to memory of 3080	1284	bfec0991994ff13915dc0fa56d435a60_NEIKI.exe	80
PID 1284 wrote to memory of 3080	1284	bfec0991994ff13915dc0fa56d435a60_NEIKI.exe	80

C:\Users\Admin\AppData\Local\Temp\bfec0991994ff13915dc0fa56d435a60_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\bfec0991994ff13915dc0fa56d435a60_NEIKI.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe
  "C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe"
  2⤵
  - Executes dropped EXE
  PID:3080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe

Filesize
24KB

MD5
fc86595099e263dad7876515634ee54d

SHA1
ea678660f808de4ad6c50be0c8b78f49e810e4dc

SHA256
63faf9ecbc734be153f45104b4f6c5d3d7fa7f49f1f59adfea1df57392ef5f53

SHA512
94ba8aaea08fac49c03db1f9536a23392f58547701dc105a37c4f50614f68c3093ca926982914d71d9613b2c8d8c8179f41fedd8ca79cb13aa4419f85199fb33

Download Submit
memory/1284-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1284-1-0x00000000005A0000-0x00000000005A7000-memory.dmp

Filesize
28KB

Download
memory/1284-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1284-9-0x00000000005A0000-0x00000000005A7000-memory.dmp

Filesize
28KB

Download
memory/3080-16-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download