61e70d85c001dd7c0aef0846195cdc073c7f695e09ccd7b6bc41dbed9ecb400a

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/05/2024, 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

419d267a9da4484def40df4b6c7c55f0_NEIKI.exe
Size

46KB
MD5

419d267a9da4484def40df4b6c7c55f0
SHA1

994b6221f6255da8fae701ab27883384baa1c9e3
SHA256

61e70d85c001dd7c0aef0846195cdc073c7f695e09ccd7b6bc41dbed9ecb400a
SHA512

b85dd411d6f3a5116004d4f4821fbd6715cb7527a4b4074c3b7cd53042ba403601144956792dc15e988dfe78a6f74d99c6eec1bbfbf2323f6a71cc83e1943798
SSDEEP

768:75wRI7PsED3VK2+ZtyOjgO4r9vFAg2rqrINT0qxn0GVRzb8:+wYTjipvF2N0qxdRzb8

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2032	hcbnaf.exe

Loads dropped DLL 1 IoCs

pid	Process
2072	419d267a9da4484def40df4b6c7c55f0_NEIKI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2032	2072	419d267a9da4484def40df4b6c7c55f0_NEIKI.exe	28
PID 2072 wrote to memory of 2032	2072	419d267a9da4484def40df4b6c7c55f0_NEIKI.exe	28
PID 2072 wrote to memory of 2032	2072	419d267a9da4484def40df4b6c7c55f0_NEIKI.exe	28
PID 2072 wrote to memory of 2032	2072	419d267a9da4484def40df4b6c7c55f0_NEIKI.exe	28

C:\Users\Admin\AppData\Local\Temp\419d267a9da4484def40df4b6c7c55f0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\419d267a9da4484def40df4b6c7c55f0_NEIKI.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\hcbnaf.exe
  "C:\Users\Admin\AppData\Local\Temp\hcbnaf.exe"
  2⤵
  - Executes dropped EXE
  PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hcbnaf.exe

Filesize
47KB

MD5
09a8a103a556658f656a1ef28b140397

SHA1
d0e8a3dd6902107f9577d03fe0e10ad9cda87d92

SHA256
f0875af58dc2383f86ae6aef9f6ab13e70bd27eeafea1d5804d1416733c89ebb

SHA512
0e96cede7bc4c14937b8d1e27b6a8f2b685038173156d33b4747378e1f932fa8715ffca6c5e85ea1bad549c3b1d098ede42a6da79dc17d587548c17cddca04f1

Download Submit