7e30871cefa554f02346d797bdfa7528c80599263fbc43d4fba15a7ee5b57e7a

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/05/2024, 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

094dc977bc15888caa4d478b9fba34c0_NEIKI.exe
Size

9.0MB
MD5

094dc977bc15888caa4d478b9fba34c0
SHA1

c8e77af9ba2a41596b0c44d78abe737330f35aaf
SHA256

7e30871cefa554f02346d797bdfa7528c80599263fbc43d4fba15a7ee5b57e7a
SHA512

cf535a44fe8199b018877aea27148685fd0a306b6d5d31edebbc41543e4809ad23e76f189ebb117d11401dc5f9aba984c04f6102f2057600ac87c960c60b3a3d
SSDEEP

196608:9O1vl2I4a7SdzRDymXLa4mX10Dtb3gvjCUE2nKNfMILF9UBDHLSwxT1aQhS:Wt2O7Sd1ymX+4mXsbQGUCZM6kzWu12

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2480	autorun.exe

Loads dropped DLL 3 IoCs

pid	Process
3000	094dc977bc15888caa4d478b9fba34c0_NEIKI.exe
2480	autorun.exe
2480	autorun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2480	autorun.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3000	094dc977bc15888caa4d478b9fba34c0_NEIKI.exe
3000	094dc977bc15888caa4d478b9fba34c0_NEIKI.exe
2480	autorun.exe
2480	autorun.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2480	3000	094dc977bc15888caa4d478b9fba34c0_NEIKI.exe	28
PID 3000 wrote to memory of 2480	3000	094dc977bc15888caa4d478b9fba34c0_NEIKI.exe	28
PID 3000 wrote to memory of 2480	3000	094dc977bc15888caa4d478b9fba34c0_NEIKI.exe	28
PID 3000 wrote to memory of 2480	3000	094dc977bc15888caa4d478b9fba34c0_NEIKI.exe	28
PID 3000 wrote to memory of 2480	3000	094dc977bc15888caa4d478b9fba34c0_NEIKI.exe	28
PID 3000 wrote to memory of 2480	3000	094dc977bc15888caa4d478b9fba34c0_NEIKI.exe	28
PID 3000 wrote to memory of 2480	3000	094dc977bc15888caa4d478b9fba34c0_NEIKI.exe	28

C:\Users\Admin\AppData\Local\Temp\094dc977bc15888caa4d478b9fba34c0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\094dc977bc15888caa4d478b9fba34c0_NEIKI.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
  "C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\094dc977bc15888caa4d478b9fba34c0_NEIKI.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\Cik11.Btn

Filesize
4KB

MD5
eb199b1cb2087cadf5dd4d7b06db4f62

SHA1
2033bed8c8de0805e8fdbebadfd710e42fbe1a68

SHA256
b99136b165304979e84e98930ea5fee03508b8967acf6b82844b96863d916b15

SHA512
a133b9d14143b0d67f876b19f22fcf7d72352872352d7c5dd8a9ae05551e9350c5ede194416a0802816dd4c82418679c52b3ae578bf0f63e446ea868f8a9d387

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\Home2.Btn

Filesize
3KB

MD5
1c85362b0780dfb2f580e567ad57643a

SHA1
c1ca2efb091d5540c8d300a00420fb3060874e61

SHA256
70919d158d55ba3a9c38bbe91c79bc69452e67fe7862aa00fe77df56a7dde4e7

SHA512
57d643adeb7ae8409312a0b8ac1b4774d51543f31ee4f1ea27a57fb34521d21d3590e23d8470d03967aff137117c8ace46b8a20adc6e65c1a411f70dbfd85690

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\button.btn

Filesize
17KB

MD5
9ecb9fcfdcb46a87ec244cfe23659e0e

SHA1
b389705b9cc52e7e12a0f7f68a4f6922ea9db107

SHA256
3ff2c5e7c1b7471d41d64bd39b2d8e2df3761408c0b235ce8ccbb3d39417466f

SHA512
12a61f1cdff7faf5fe40fd83d2cbb4ef17554be2b2ead82162d685a3b492f7149bfb82b8c65a5d20e061a287140c5350923c0adab9fc7e47a7c98f3fdead8498

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\main-screen.jpg

Filesize
170KB

MD5
16ace5798f3499d9685197740cd00735

SHA1
5a5d4765b3d2046cd1d4fcc714e77d188b8e52ab

SHA256
0c88a592cb5448d2131a15f208580365cf383a2445ed60ca55987f42ecc4ce11

SHA512
f5e7f3bdba6aa633bb28991c5dc9ce0e9a010ca133165417ff81c48d6cacd87d89b93533176311a60823d8d98c13bd4134ce1bcd0f90f644092779cf47aa14e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\IRDissolveTransition.tns

Filesize
136KB

MD5
6a9b0ab9341ac4204aafc7fac9872962

SHA1
dc6ceafcb39b7329552d0883f2c3284dddbb0ddc

SHA256
6315b5d1869c3b4cbcbead77ad63da3a60d86ede287eccef338f74178ec181f2

SHA512
76bacf1de5ac883bb47ae8d3299d5f399ae84bcd19eadc3fd8ee01ae2605bbbbddd6aacf7fdec490b8e6baf362ae05dbf972a5710c2bc732e8542a1c5d04bca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\chew.enc

Filesize
16KB

MD5
79d859f99556dfab768ef4af334ae4f0

SHA1
fad57afc141bc14e9a55d2d979996bb25edec4f1

SHA256
359dd9043e720156a55f2aa29bbbbb5f74f6fdb9aa645d8c8f3107296fe2d4fc

SHA512
e0f3b61ac5ab4cf527ef73ed66d75b3c749161b3a052c6c0d44744a643f48167210e930ef6636f79834a56e50331a63ba53d440dee14ce53ffaa4c7da66a280b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd

Filesize
1.7MB

MD5
1c42c49a03f8416736f243907b1c8c0a

SHA1
64a6bc73c97b85c35813d7c3386753e0c8fd7e63

SHA256
6f9a4a22186afb4efd48689fe9dad4a1cf1cfd6f2706d3411c8f5d83607e0ba9

SHA512
6385706f690fa75267af441fc614a3971e4a7e5dab08de76e6a2773f5a4284bfb13e9c08595fc9b3dc39672f74ec1af26c79581df0cf9eb45b8ddb2785f22026

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\mainicon.ico

Filesize
361KB

MD5
31aca1a1047efbc8d2a6e22101b2227b

SHA1
7f0500f0dd7b33f13efcef891700d17306762e02

SHA256
a9eaafa2c8e36bb80f58d5930694676d76dab647b8f709f3142649bb8018fbfa

SHA512
190dd9471fdc93e9eeb8dede79f3b9f1a67c3ff62e5733f51ddf03130790ae0e409da92d46c8e616c35bcd5dbc9d2139c95452843f8a8a4ba8b4d70d1e43427a

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
3.0MB

MD5
6ed1ff22271e42f1b1b794fcf013c792

SHA1
bedfc9238562d8f060aa8ba2dd611fb0bd69028c

SHA256
3d64730cc54b77e11ab31a232434b09ca14fc393f3194eb8c622e62aa41d21f9

SHA512
0ddc4a0e772e45e5e87f2c1dacd559bb20a2a991f24af8415f714cb04fd9307ae9eb43bbc1acf551d3bc066f9c15d0a660568eaab391ad8378b30afe9a62b3e3

Download Submit