Overview

overview

7

Static

static

3

fb271a1b5b...KI.exe

windows7-x64

7

fb271a1b5b...KI.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/05/2024, 15:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fb271a1b5b3c79e431ec668f312b5bc0_NEIKI.exe

  • Size

    512KB

  • MD5

    fb271a1b5b3c79e431ec668f312b5bc0

  • SHA1

    9e4d58de4baf4400c3f4c1df6f9b7638ff898db4

  • SHA256

    243441c2d0346df0fb3f4fd851bf67483e175451f8d1446df06e4d8171763b04

  • SHA512

    840bd9eefcc76483f77052de29f6c1634f39adbc4350b5fc7771fc5ff720b86af83eeae00863cab29a6c605746a066759d0ef1619c2c328970dcdebc7feee8df

  • SSDEEP

    12288:ZmB8gNlMehudCyfi0npM4dl0v5Jdm5IpS:AlMdCyfiEM4dmv5Bw

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Program crash 6 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb271a1b5b3c79e431ec668f312b5bc0_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\fb271a1b5b3c79e431ec668f312b5bc0_NEIKI.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:3920
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 384
      2⤵
      • Program crash
      PID:3068
    • C:\Users\Admin\AppData\Local\Temp\fb271a1b5b3c79e431ec668f312b5bc0_NEIKI.exe
      C:\Users\Admin\AppData\Local\Temp\fb271a1b5b3c79e431ec668f312b5bc0_NEIKI.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of UnmapMainImage
      PID:1360
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 352
        3⤵
        • Program crash
        PID:3560
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 772
        3⤵
        • Program crash
        PID:1848
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 792
        3⤵
        • Program crash
        PID:1304
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 780
        3⤵
        • Program crash
        PID:4748
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 800
        3⤵
        • Program crash
        PID:1388
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3920 -ip 3920
    1⤵
      PID:3152
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1360 -ip 1360
      1⤵
        PID:2360
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1360 -ip 1360
        1⤵
          PID:4288
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1360 -ip 1360
          1⤵
            PID:4028
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1360 -ip 1360
            1⤵
              PID:2544
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1360 -ip 1360
              1⤵
                PID:4484

              Network

              MITRE ATT&CK Matrix

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\fb271a1b5b3c79e431ec668f312b5bc0_NEIKI.exe
                Filesize

                512KB

                MD5

                6d1aa11b241bb10ae5219c9fdff0b585

                SHA1

                7b38b5247ed7af857e78a234cdeddef47487fb9b

                SHA256

                175fdb342a85ef597dd0cd9a38622de8a5ed5e4465057edeed8cc3a47dd7591b

                SHA512

                a56476e3f9745e8e0a33cf2ec137a43b4ef3bdd7e5ecab195e3c901cb039ae85c7fbb55539b76879e851edd0cef05e27dc92e1d5bf5df43d016fcc2acba45d8f

                Download Submit

              • memory/1360-7-0x0000000000400000-0x000000000043F000-memory.dmp

                Filesize

                252KB

                Download

              • memory/1360-8-0x0000000000400000-0x0000000000415000-memory.dmp

                Filesize

                84KB

                Download

              • memory/1360-13-0x0000000004DA0000-0x0000000004DDF000-memory.dmp

                Filesize

                252KB

                Download

              • memory/1360-14-0x0000000000400000-0x000000000043F000-memory.dmp

                Filesize

                252KB

                Download

              • memory/3920-0-0x0000000000400000-0x000000000043F000-memory.dmp

                Filesize

                252KB

                Download

              • memory/3920-6-0x0000000000400000-0x000000000043F000-memory.dmp

                Filesize

                252KB

                Download