Analysis
-
max time kernel
134s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
08-05-2024 18:50
General
-
Target
0f3410be43bd9139997b53dc571304b0_NEIKI.exe
-
Size
1002KB
-
MD5
0f3410be43bd9139997b53dc571304b0
-
SHA1
cb2e743d8254185d7bec6b3ae6af6312d4e0e835
-
SHA256
be8e046a55140023cef54bd6bdd1c8a089be2abd0375265e0c110c58a0874a83
-
SHA512
96140ab4e9c10cf81d55060c9a58d49338e60d0caf11a1a55d21f97a9e901541acb6bfaed5dfbcbf1c2050407b10ce88b08bda478be98b820c9849f140701c05
-
SSDEEP
12288:zJB0lh5aILwtFPCfmAUtFC6NXbv+GEBQqtGSsfUhQEsBLKR0ox5r93g1aKs2lyLU:zQ5aILMCfmAUjzX6xQtNBMtOFsXS
Malware Config
Signatures
-
KPOT
KPOT is an information stealer that steals user data and account credentials.
-
KPOT Core Executable 1 IoCs
-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
-
Stops running service(s) 4 TTPs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in System32 directory 2 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f3410be43bd9139997b53dc571304b0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\0f3410be43bd9139997b53dc571304b0_NEIKI.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc stop WinDefend3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc delete WinDefend3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\WinSocket\0f3410be43bd9139998b63dc681304b0_NFJLJ.exeC:\Users\Admin\AppData\Roaming\WinSocket\0f3410be43bd9139998b63dc681304b0_NFJLJ.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc stop WinDefend4⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc delete WinDefend4⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {BD68411E-39B1-4459-B33B-201E696F77E1} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Roaming\WinSocket\0f3410be43bd9139998b63dc681304b0_NFJLJ.exeC:\Users\Admin\AppData\Roaming\WinSocket\0f3410be43bd9139998b63dc681304b0_NFJLJ.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\WinSocket\0f3410be43bd9139998b63dc681304b0_NFJLJ.exeC:\Users\Admin\AppData\Roaming\WinSocket\0f3410be43bd9139998b63dc681304b0_NFJLJ.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD569915b8d6dade48b08581d361011547e
SHA1a9a316130c2b0b55d74160696e221fa7b7f02e13
SHA256f71b81065081bedc565c1557184c207522e0aa45e34001f684bc9b7119724d51
SHA51215df1d314b2cb5431c7b29b36c9ee408b2239e00a7bb24fd06ae43097586c338d2d66f143f7f0dda1667cbe6165146613b8886e438165ff10d48a12fdfceac69
-
Filesize
1002KB
MD50f3410be43bd9139997b53dc571304b0
SHA1cb2e743d8254185d7bec6b3ae6af6312d4e0e835
SHA256be8e046a55140023cef54bd6bdd1c8a089be2abd0375265e0c110c58a0874a83
SHA51296140ab4e9c10cf81d55060c9a58d49338e60d0caf11a1a55d21f97a9e901541acb6bfaed5dfbcbf1c2050407b10ce88b08bda478be98b820c9849f140701c05
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
164KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
28KB