Analysis
-
max time kernel
158s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
09-05-2024 01:39
General
-
Target
c1a74b1b6a507a4f9fee88153a546800_NEIKI.exe
-
Size
320KB
-
MD5
c1a74b1b6a507a4f9fee88153a546800
-
SHA1
f59064ff3d67e066fb19d7e864394155f87e6c2c
-
SHA256
48cfb7ebd68a18b0af21ae3d8499ba4d041c42e34b7ab62195ec56229c169051
-
SHA512
c70b2f2086261475874665922e41a32e64d1130cd974699994a0c0874d92336b1955acab8b357133c292d2f92766dd8a82daa733d71aa6f520bdadc09156a3e4
-
SSDEEP
6144:T0u+YJw7p8Kmsl7Pz/CV+tbFOLM77OLnFe3HCqxNRmJ4PavntPRD:yYomEL7tsNePmjvtPRD
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
-
Executes dropped EXE 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Program crash 2 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1a74b1b6a507a4f9fee88153a546800_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\c1a74b1b6a507a4f9fee88153a546800_NEIKI.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Nehjmnei.exeC:\Windows\system32\Nehjmnei.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Bbpeghpe.exeC:\Windows\system32\Bbpeghpe.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Blkgen32.exeC:\Windows\system32\Blkgen32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Cbihmg32.exeC:\Windows\system32\Cbihmg32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Cihjeq32.exeC:\Windows\system32\Cihjeq32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Didjqoae.exeC:\Windows\system32\Didjqoae.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Eikpan32.exeC:\Windows\system32\Eikpan32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Eimlgnij.exeC:\Windows\system32\Eimlgnij.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fempbm32.exeC:\Windows\system32\Fempbm32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ggoiap32.exeC:\Windows\system32\Ggoiap32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hcommoin.exeC:\Windows\system32\Hcommoin.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hokgmpkl.exeC:\Windows\system32\Hokgmpkl.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hjbhph32.exeC:\Windows\system32\Hjbhph32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Jcgldl32.exeC:\Windows\system32\Jcgldl32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Jjemle32.exeC:\Windows\system32\Jjemle32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Kcehejic.exeC:\Windows\system32\Kcehejic.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Mpnngh32.exeC:\Windows\system32\Mpnngh32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Mfmpob32.exeC:\Windows\system32\Mfmpob32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Nfdfoala.exeC:\Windows\system32\Nfdfoala.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Opfnne32.exeC:\Windows\system32\Opfnne32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Paomog32.exeC:\Windows\system32\Paomog32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ahgamo32.exeC:\Windows\system32\Ahgamo32.exe23⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ahpdcn32.exeC:\Windows\system32\Ahpdcn32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Cgaqphgl.exeC:\Windows\system32\Cgaqphgl.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ikechced.exeC:\Windows\system32\Ikechced.exe26⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ilglgfjd.exeC:\Windows\system32\Ilglgfjd.exe27⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Kaaaak32.exeC:\Windows\system32\Kaaaak32.exe28⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Lmeapbpa.exeC:\Windows\system32\Lmeapbpa.exe29⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Mnndhi32.exeC:\Windows\system32\Mnndhi32.exe30⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Nbiioe32.exeC:\Windows\system32\Nbiioe32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Obqopddf.exeC:\Windows\system32\Obqopddf.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Olpjii32.exeC:\Windows\system32\Olpjii32.exe33⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pldcdhpi.exeC:\Windows\system32\Pldcdhpi.exe34⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Pikqcl32.exeC:\Windows\system32\Pikqcl32.exe35⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pimmil32.exeC:\Windows\system32\Pimmil32.exe36⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Aploae32.exeC:\Windows\system32\Aploae32.exe37⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Apnkfelb.exeC:\Windows\system32\Apnkfelb.exe38⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Bcfkiock.exeC:\Windows\system32\Bcfkiock.exe39⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Bleebc32.exeC:\Windows\system32\Bleebc32.exe40⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Dqhpjohb.exeC:\Windows\system32\Dqhpjohb.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Hdlhoefk.exeC:\Windows\system32\Hdlhoefk.exe42⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Hjimaole.exeC:\Windows\system32\Hjimaole.exe43⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Hjkigojc.exeC:\Windows\system32\Hjkigojc.exe44⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ialhdh32.exeC:\Windows\system32\Ialhdh32.exe45⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jmlkpgia.exeC:\Windows\system32\Jmlkpgia.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Kpfggang.exeC:\Windows\system32\Kpfggang.exe47⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kgeiokao.exeC:\Windows\system32\Kgeiokao.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Laofhbmp.exeC:\Windows\system32\Laofhbmp.exe49⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Lkgkqh32.exeC:\Windows\system32\Lkgkqh32.exe50⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Lkjhfh32.exeC:\Windows\system32\Lkjhfh32.exe51⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ongijo32.exeC:\Windows\system32\Ongijo32.exe52⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Olmficce.exeC:\Windows\system32\Olmficce.exe53⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Plfipakk.exeC:\Windows\system32\Plfipakk.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Qhofjbnl.exeC:\Windows\system32\Qhofjbnl.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Qpikao32.exeC:\Windows\system32\Qpikao32.exe56⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ahdpea32.exeC:\Windows\system32\Ahdpea32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Aified32.exeC:\Windows\system32\Aified32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Aihfjd32.exeC:\Windows\system32\Aihfjd32.exe59⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Aikbpckb.exeC:\Windows\system32\Aikbpckb.exe60⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Bimoecio.exeC:\Windows\system32\Bimoecio.exe61⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Bbjmih32.exeC:\Windows\system32\Bbjmih32.exe62⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Bocjdiol.exeC:\Windows\system32\Bocjdiol.exe63⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Coegih32.exeC:\Windows\system32\Coegih32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Cccppgcp.exeC:\Windows\system32\Cccppgcp.exe65⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Clnanlhn.exeC:\Windows\system32\Clnanlhn.exe66⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Chebcmna.exeC:\Windows\system32\Chebcmna.exe67⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Dadlmanj.exeC:\Windows\system32\Dadlmanj.exe68⤵
-
C:\Windows\SysWOW64\Dagiba32.exeC:\Windows\system32\Dagiba32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Fiajfi32.exeC:\Windows\system32\Fiajfi32.exe70⤵
-
C:\Windows\SysWOW64\Ffekom32.exeC:\Windows\system32\Ffekom32.exe71⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Gbjhelnp.exeC:\Windows\system32\Gbjhelnp.exe72⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Hakhcd32.exeC:\Windows\system32\Hakhcd32.exe73⤵
-
C:\Windows\SysWOW64\Hfoflj32.exeC:\Windows\system32\Hfoflj32.exe74⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Hfacai32.exeC:\Windows\system32\Hfacai32.exe75⤵
-
C:\Windows\SysWOW64\Jdcplkoe.exeC:\Windows\system32\Jdcplkoe.exe76⤵
-
C:\Windows\SysWOW64\Kigoeagd.exeC:\Windows\system32\Kigoeagd.exe77⤵
-
C:\Windows\SysWOW64\Kkfkod32.exeC:\Windows\system32\Kkfkod32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Mphfjhjf.exeC:\Windows\system32\Mphfjhjf.exe79⤵
-
C:\Windows\SysWOW64\Majoikof.exeC:\Windows\system32\Majoikof.exe80⤵
-
C:\Windows\SysWOW64\Odidld32.exeC:\Windows\system32\Odidld32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Onaieifh.exeC:\Windows\system32\Onaieifh.exe82⤵
-
C:\Windows\SysWOW64\Ojhijjll.exeC:\Windows\system32\Ojhijjll.exe83⤵
-
C:\Windows\SysWOW64\Onfbpi32.exeC:\Windows\system32\Onfbpi32.exe84⤵
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Occkhp32.exeC:\Windows\system32\Occkhp32.exe85⤵
-
C:\Windows\SysWOW64\Obdkfg32.exeC:\Windows\system32\Obdkfg32.exe86⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Pbfglg32.exeC:\Windows\system32\Pbfglg32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Pgemimck.exeC:\Windows\system32\Pgemimck.exe88⤵
-
C:\Windows\SysWOW64\Peimcaae.exeC:\Windows\system32\Peimcaae.exe89⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Papnhbgi.exeC:\Windows\system32\Papnhbgi.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Qbbggeli.exeC:\Windows\system32\Qbbggeli.exe91⤵
-
C:\Windows\SysWOW64\Qbddmejf.exeC:\Windows\system32\Qbddmejf.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Aeemop32.exeC:\Windows\system32\Aeemop32.exe93⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Aegidp32.exeC:\Windows\system32\Aegidp32.exe94⤵
-
C:\Windows\SysWOW64\Bngdndfn.exeC:\Windows\system32\Bngdndfn.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Blmamh32.exeC:\Windows\system32\Blmamh32.exe96⤵
-
C:\Windows\SysWOW64\Bonjnc32.exeC:\Windows\system32\Bonjnc32.exe97⤵
-
C:\Windows\SysWOW64\Bhfogiff.exeC:\Windows\system32\Bhfogiff.exe98⤵
-
C:\Windows\SysWOW64\Ckghid32.exeC:\Windows\system32\Ckghid32.exe99⤵
-
C:\Windows\SysWOW64\Cellfm32.exeC:\Windows\system32\Cellfm32.exe100⤵
-
C:\Windows\SysWOW64\Cdaigi32.exeC:\Windows\system32\Cdaigi32.exe101⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Ceaealoh.exeC:\Windows\system32\Ceaealoh.exe102⤵
-
C:\Windows\SysWOW64\Coijja32.exeC:\Windows\system32\Coijja32.exe103⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Dlpgiebo.exeC:\Windows\system32\Dlpgiebo.exe104⤵
-
C:\Windows\SysWOW64\Fdiafc32.exeC:\Windows\system32\Fdiafc32.exe105⤵
-
C:\Windows\SysWOW64\Hoakpi32.exeC:\Windows\system32\Hoakpi32.exe106⤵
-
C:\Windows\SysWOW64\Hmfkin32.exeC:\Windows\system32\Hmfkin32.exe107⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Hillnoif.exeC:\Windows\system32\Hillnoif.exe108⤵
-
C:\Windows\SysWOW64\Ibeqgdpf.exeC:\Windows\system32\Ibeqgdpf.exe109⤵
-
C:\Windows\SysWOW64\Icdmqg32.exeC:\Windows\system32\Icdmqg32.exe110⤵
-
C:\Windows\SysWOW64\Ipkneh32.exeC:\Windows\system32\Ipkneh32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Ilbnkiba.exeC:\Windows\system32\Ilbnkiba.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Ibncmchl.exeC:\Windows\system32\Ibncmchl.exe113⤵
-
C:\Windows\SysWOW64\Imdgjlgb.exeC:\Windows\system32\Imdgjlgb.exe114⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Jbqpbbfi.exeC:\Windows\system32\Jbqpbbfi.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Kfanen32.exeC:\Windows\system32\Kfanen32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Lpcedbjp.exeC:\Windows\system32\Lpcedbjp.exe117⤵
-
C:\Windows\SysWOW64\Lepnli32.exeC:\Windows\system32\Lepnli32.exe118⤵
-
C:\Windows\SysWOW64\Mdhdkp32.exeC:\Windows\system32\Mdhdkp32.exe119⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Pqhammje.exeC:\Windows\system32\Pqhammje.exe120⤵
-
C:\Windows\SysWOW64\Pfeiedhm.exeC:\Windows\system32\Pfeiedhm.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-