Overview

overview

7

Static

static

3

37c1379596...KI.exe

windows7-x64

7

37c1379596...KI.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/05/2024, 20:13

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    37c1379596c08f49ca728973d2b42b30_NEIKI.exe

  • Size

    38KB

  • MD5

    37c1379596c08f49ca728973d2b42b30

  • SHA1

    bb24ee5d6e09b4a1e86070c461851abf22bce7be

  • SHA256

    cbfa80497f1cc842ef4f42601b9827b65b3d4c413eb9f967cb96b6f9d3f81252

  • SHA512

    0ad15f7084c9af8a88c62d4b634438dcce73c4659c307bd407cb1e0587d264c32f0f9eabd7492a769404576980a7e1e1ccc71d4b56e34485f4669e3e585d61ec

  • SSDEEP

    768:fZjIoksdZlOvrA9DvsLKDrnuIeQTls5SQ48NPKQHDFw/Bh2+aBrP:RjwsdXOvrA9DvsLKfuIbBskQ4nsFwSrP

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\37c1379596c08f49ca728973d2b42b30_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\37c1379596c08f49ca728973d2b42b30_NEIKI.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3260
    • C:\Users\Admin\AppData\Local\Mozilla\vmplayer.exe
      "C:\Users\Admin\AppData\Local\Mozilla\vmplayer.exe" -r
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:448
      • C:\Windows\system32\pcaui.exe
        "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {43edc3a4-e400-4e09-bc67-4e0730eb5590} -a "VMware Workstation Pro" -v "VMware, Inc." -s "This app can't run because it causes security or performance issues on Windows. A new version may be available. Check with your software provider for an updated version that runs on this version of Windows." -n 1 -f 2109246 -k 0 -e "C:\Users\Admin\AppData\Local\Mozilla\vmplayer.exe"
        3⤵
          PID:3096
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 2&del "C:\Users\Admin\AppData\Local\Mozilla\vmplayer.exe"&ping 127.0.0.1 -n 2&rename "C:\Users\Admin\AppData\Local\Mozilla\00006CAB" vmplayer.exe&ping 127.0.0.1 -n 2&"C:\Users\Admin\AppData\Local\Mozilla\vmplayer.exe" \r
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1660
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 2
            4⤵
            • Runs ping.exe
            PID:1396
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 2
            4⤵
            • Runs ping.exe
            PID:2320
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 2
            4⤵
            • Runs ping.exe
            PID:1632
          • C:\Users\Admin\AppData\Local\Mozilla\vmplayer.exe
            "C:\Users\Admin\AppData\Local\Mozilla\vmplayer.exe" \r
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:3712
            • C:\Windows\system32\pcaui.exe
              "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {43edc3a4-e400-4e09-bc67-4e0730eb5590} -a "VMware Workstation Pro" -v "VMware, Inc." -s "This app can't run because it causes security or performance issues on Windows. A new version may be available. Check with your software provider for an updated version that runs on this version of Windows." -n 1 -f 2109246 -k 0 -e "C:\Users\Admin\AppData\Local\Mozilla\vmplayer.exe"
              5⤵
                PID:4612

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Mozilla\00006CAB
              Filesize

              38KB

              MD5

              6dc2dc903946b49d8e82e1f5f03bfa8c

              SHA1

              99d3f7d6d599c17cc2be0c19685ad8ea6a148b43

              SHA256

              03cdede8194b36678c7a15f4f1b84f4bcfc7ec9993f6970f19c856e1393c2d7b

              SHA512

              727830fd1213954006143c551b1281a13d157d9657751f494ba7f88b6338d1db3246d6823d0f80b1e91f52dbb43e0519ba5917e3634383583db78a8ae1fc4785

              Download Submit

            • C:\Users\Admin\AppData\Local\Mozilla\vmplayer.exe
              Filesize

              38KB

              MD5

              37c1379596c08f49ca728973d2b42b30

              SHA1

              bb24ee5d6e09b4a1e86070c461851abf22bce7be

              SHA256

              cbfa80497f1cc842ef4f42601b9827b65b3d4c413eb9f967cb96b6f9d3f81252

              SHA512

              0ad15f7084c9af8a88c62d4b634438dcce73c4659c307bd407cb1e0587d264c32f0f9eabd7492a769404576980a7e1e1ccc71d4b56e34485f4669e3e585d61ec

              Download Submit