ddd45351e05ed1360985bef4ed14f558596b5521cacb9d24046549a2cdc2e01d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

029fa9bd4b574623a93390a908ab46d0_NEIKI.exe
Size

1.3MB
MD5

029fa9bd4b574623a93390a908ab46d0
SHA1

72bc9a85ae2ea43e9c78f3713f58a8370abecd35
SHA256

ddd45351e05ed1360985bef4ed14f558596b5521cacb9d24046549a2cdc2e01d
SHA512

979f539f377513207eaf58838391d6cafe5ae5fd595e299104574d91311965b210b6f4afa028dea7a82edce1e5bdbeaf5df4da96e74afbe75fbfe76f6a85f7a6
SSDEEP

24576:zq2RXvNDXDLU+JyxAdkO8syl7UDD6+K7jHxUuzXSAaEVjjyGweVl8zN/ME1:zqOfNDTLUe6+LyNUvS7L7SAvwhpRB1

Score

7^/10

evasion upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023440-14.dat	acprotect
behavioral2/files/0x0007000000023441-26.dat	acprotect

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	029fa9bd4b574623a93390a908ab46d0_NEIKI.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	029fa9bd4b574623a93390a908ab46d0_NEIKI.exe

Loads dropped DLL 3 IoCs

pid	Process
2020	029fa9bd4b574623a93390a908ab46d0_NEIKI.exe
4224	RunDll32.exe
2020	029fa9bd4b574623a93390a908ab46d0_NEIKI.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2020-0-0x0000000000400000-0x00000000009C2000-memory.dmp	upx
behavioral2/files/0x0007000000023440-14.dat	upx
behavioral2/memory/2020-18-0x0000000073290000-0x000000007335C000-memory.dmp	upx
behavioral2/memory/4224-21-0x0000000073290000-0x000000007335C000-memory.dmp	upx
behavioral2/files/0x0007000000023441-26.dat	upx
behavioral2/memory/2020-31-0x0000000072EA0000-0x0000000072F3C000-memory.dmp	upx
behavioral2/memory/2020-34-0x0000000073290000-0x000000007335C000-memory.dmp	upx
behavioral2/memory/2020-35-0x0000000072EA0000-0x0000000072F3C000-memory.dmp	upx
behavioral2/memory/4224-36-0x0000000073290000-0x000000007335C000-memory.dmp	upx
behavioral2/memory/2020-37-0x0000000000400000-0x00000000009C2000-memory.dmp	upx
behavioral2/memory/2020-42-0x0000000072EA0000-0x0000000072F3C000-memory.dmp	upx
behavioral2/memory/2020-53-0x0000000072EA0000-0x0000000072F3C000-memory.dmp	upx
behavioral2/memory/2020-61-0x0000000072EA0000-0x0000000072F3C000-memory.dmp	upx
behavioral2/memory/2020-60-0x0000000073290000-0x000000007335C000-memory.dmp	upx
behavioral2/memory/4224-86-0x0000000073290000-0x000000007335C000-memory.dmp	upx
behavioral2/memory/4224-90-0x0000000073290000-0x000000007335C000-memory.dmp	upx

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\FalconBetaAccount	029fa9bd4b574623a93390a908ab46d0_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\FalconBetaAccount\remote_access_client_id = "1222829802"	029fa9bd4b574623a93390a908ab46d0_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe
4224	RunDll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2020	029fa9bd4b574623a93390a908ab46d0_NEIKI.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2020	029fa9bd4b574623a93390a908ab46d0_NEIKI.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 4224	2020	029fa9bd4b574623a93390a908ab46d0_NEIKI.exe	82
PID 2020 wrote to memory of 4224	2020	029fa9bd4b574623a93390a908ab46d0_NEIKI.exe	82
PID 2020 wrote to memory of 4224	2020	029fa9bd4b574623a93390a908ab46d0_NEIKI.exe	82

C:\Users\Admin\AppData\Local\Temp\029fa9bd4b574623a93390a908ab46d0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\029fa9bd4b574623a93390a908ab46d0_NEIKI.exe"
1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\RunDll32.exe
  RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\utt4C2C.tmp",_OCPRD119RunOpenCandyDLL@16 2020
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:4224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ADKAppsOfferManager.dll

Filesize
221KB

MD5
f9dfb7d01568bf06b3b335652e8eb637

SHA1
1bfcca85cf0fae45ef4683a33653a0b9420d5333

SHA256
a14248c0cebba9b698a8b8e0a36df6e04d01fb258b374a48498729609bc17ff8

SHA512
e4ebbe75ed4add4db5ac17468a165561c99b6601dd6d21c96ffd099dae4fd71223f06ba602da0c499a9ae5bbbd24ceac093a2fc8973f475c227b56dadb8d69de

Download Submit
C:\Users\Admin\AppData\Local\Temp\utt4C2C.tmp

Filesize
293KB

MD5
7a9bf84ae6f5793548177fb6998ce922

SHA1
52f3182e4cd4058d14afd9e40b14fed9d9b1494b

SHA256
6b85f7a8a87270292f546cd1de615e594a37e518c4d0d35d136a52a0cc934c80

SHA512
2e8bba02c58c39d08337c730afff85649a2f35d3cc68938456b8e4674a5aa6034fa056f847f18213716d9195526a4da8cc8af7ed7e022c581fc05963eb53a789

Download Submit
C:\Users\Admin\AppData\Roaming\BitTorrent\settings.dat.old

Filesize
6KB

MD5
2596e6cf97dcf15eea04b8548e8844cb

SHA1
9b31e394974c3a5f9971bfc2faaece9762945f1c

SHA256
8b4a1b6d059f3512078fe065c58baf292efca5e02e290d156170cb792c1f796d

SHA512
b666ed59d3a38b90e201a3336bd41055b3264b4e4c214d0424cfe76220edb478dd9e719cea6e0121b2e5589507850887777066cc275d50a177ff1152fc1244b9

Download Submit
memory/2020-42-0x0000000072EA0000-0x0000000072F3C000-memory.dmp

Filesize
624KB

Download
memory/2020-53-0x0000000072EA0000-0x0000000072F3C000-memory.dmp

Filesize
624KB

Download
memory/2020-60-0x0000000073290000-0x000000007335C000-memory.dmp

Filesize
816KB

Download
memory/2020-18-0x0000000073290000-0x000000007335C000-memory.dmp

Filesize
816KB

Download
memory/2020-31-0x0000000072EA0000-0x0000000072F3C000-memory.dmp

Filesize
624KB

Download
memory/2020-34-0x0000000073290000-0x000000007335C000-memory.dmp

Filesize
816KB

Download
memory/2020-35-0x0000000072EA0000-0x0000000072F3C000-memory.dmp

Filesize
624KB

Download
memory/2020-61-0x0000000072EA0000-0x0000000072F3C000-memory.dmp

Filesize
624KB

Download
memory/2020-37-0x0000000000400000-0x00000000009C2000-memory.dmp

Filesize
5.8MB

Download
memory/2020-0-0x0000000000400000-0x00000000009C2000-memory.dmp

Filesize
5.8MB

Download
memory/4224-21-0x0000000073290000-0x000000007335C000-memory.dmp

Filesize
816KB

Download
memory/4224-36-0x0000000073290000-0x000000007335C000-memory.dmp

Filesize
816KB

Download
memory/4224-22-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/4224-86-0x0000000073290000-0x000000007335C000-memory.dmp

Filesize
816KB

Download
memory/4224-90-0x0000000073290000-0x000000007335C000-memory.dmp

Filesize
816KB

Download