cbfa80497f1cc842ef4f42601b9827b65b3d4c413eb9f967cb96b6f9d3f81252

General

Target

37c1379596c08f49ca728973d2b42b30_NEIKI.exe
Size

38KB
MD5

37c1379596c08f49ca728973d2b42b30
SHA1

bb24ee5d6e09b4a1e86070c461851abf22bce7be
SHA256

cbfa80497f1cc842ef4f42601b9827b65b3d4c413eb9f967cb96b6f9d3f81252
SHA512

0ad15f7084c9af8a88c62d4b634438dcce73c4659c307bd407cb1e0587d264c32f0f9eabd7492a769404576980a7e1e1ccc71d4b56e34485f4669e3e585d61ec
SSDEEP

768:fZjIoksdZlOvrA9DvsLKDrnuIeQTls5SQ48NPKQHDFw/Bh2+aBrP:RjwsdXOvrA9DvsLKfuIbBskQ4nsFwSrP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
288	vmplayer.exe
2816	vmplayer.exe

Loads dropped DLL 4 IoCs

pid	Process
1684	37c1379596c08f49ca728973d2b42b30_NEIKI.exe
1684	37c1379596c08f49ca728973d2b42b30_NEIKI.exe
1952	cmd.exe
1952	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\vmplayer = "C:\\Users\\Admin\\AppData\\Local\\Mozilla\\vmplayer.exe -r"	vmplayer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
2664	PING.EXE
2700	PING.EXE
2548	PING.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 288	1684	37c1379596c08f49ca728973d2b42b30_NEIKI.exe	28
PID 1684 wrote to memory of 288	1684	37c1379596c08f49ca728973d2b42b30_NEIKI.exe	28
PID 1684 wrote to memory of 288	1684	37c1379596c08f49ca728973d2b42b30_NEIKI.exe	28
PID 1684 wrote to memory of 288	1684	37c1379596c08f49ca728973d2b42b30_NEIKI.exe	28
PID 288 wrote to memory of 1952	288	vmplayer.exe	29
PID 288 wrote to memory of 1952	288	vmplayer.exe	29
PID 288 wrote to memory of 1952	288	vmplayer.exe	29
PID 288 wrote to memory of 1952	288	vmplayer.exe	29
PID 1952 wrote to memory of 2664	1952	cmd.exe	31
PID 1952 wrote to memory of 2664	1952	cmd.exe	31
PID 1952 wrote to memory of 2664	1952	cmd.exe	31
PID 1952 wrote to memory of 2664	1952	cmd.exe	31
PID 1952 wrote to memory of 2700	1952	cmd.exe	32
PID 1952 wrote to memory of 2700	1952	cmd.exe	32
PID 1952 wrote to memory of 2700	1952	cmd.exe	32
PID 1952 wrote to memory of 2700	1952	cmd.exe	32
PID 1952 wrote to memory of 2548	1952	cmd.exe	33
PID 1952 wrote to memory of 2548	1952	cmd.exe	33
PID 1952 wrote to memory of 2548	1952	cmd.exe	33
PID 1952 wrote to memory of 2548	1952	cmd.exe	33
PID 1952 wrote to memory of 2816	1952	cmd.exe	34
PID 1952 wrote to memory of 2816	1952	cmd.exe	34
PID 1952 wrote to memory of 2816	1952	cmd.exe	34
PID 1952 wrote to memory of 2816	1952	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\37c1379596c08f49ca728973d2b42b30_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\37c1379596c08f49ca728973d2b42b30_NEIKI.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Local\Mozilla\vmplayer.exe
  "C:\Users\Admin\AppData\Local\Mozilla\vmplayer.exe" -r
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:288
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 2&del "C:\Users\Admin\AppData\Local\Mozilla\vmplayer.exe"&ping 127.0.0.1 -n 2&rename "C:\Users\Admin\AppData\Local\Mozilla\00005659" vmplayer.exe&ping 127.0.0.1 -n 2&"C:\Users\Admin\AppData\Local\Mozilla\vmplayer.exe" \r
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:2664
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:2700
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:2548
  - - C:\Users\Admin\AppData\Local\Mozilla\vmplayer.exe
      "C:\Users\Admin\AppData\Local\Mozilla\vmplayer.exe" \r
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\00005659

Filesize
38KB

MD5
c5ce204b66b3ae559e0f1f1c7fbc2a26

SHA1
b9b21cc77a8a37dbbb37bc13a2308907ea9b68ba

SHA256
c9c48e9ec0ae4c6496461a5d4c36a8fba404e20e822d4cc7aa5acc169370bd2f

SHA512
e5b5e2ccdd0afcb3ae9b2c0b959b75958492ecfab99de3acbbf92bc80784ef0d8f785ed87df345a806efcc449a4772f2289ed59469fc3ad80f283e0587e559ee

Download Submit
\Users\Admin\AppData\Local\Mozilla\vmplayer.exe

Filesize
38KB

MD5
37c1379596c08f49ca728973d2b42b30

SHA1
bb24ee5d6e09b4a1e86070c461851abf22bce7be

SHA256
cbfa80497f1cc842ef4f42601b9827b65b3d4c413eb9f967cb96b6f9d3f81252

SHA512
0ad15f7084c9af8a88c62d4b634438dcce73c4659c307bd407cb1e0587d264c32f0f9eabd7492a769404576980a7e1e1ccc71d4b56e34485f4669e3e585d61ec

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads