7f92435bff8d0ec45a55f96ba885730e4257ca2d211a1dd3992a0d7c0e75687c

Analysis

max time kernel
151s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 04:28

Target

efafa2553943531d8cff8eba40b508a0_NEIKI.exe
Size

107KB
MD5

efafa2553943531d8cff8eba40b508a0
SHA1

7729be1b62f676d579c921403ec5e6a5c9854ad7
SHA256

7f92435bff8d0ec45a55f96ba885730e4257ca2d211a1dd3992a0d7c0e75687c
SHA512

f59212dd15b738a2309cfac7b5c7db76fc0cf399715fc35f21ffda9534ef4de8c69e98e7de0a72d408c7baeb1fa600046060d2530b9204cc9461aae4abbdeb94
SSDEEP

3072:mAayGHbc5sta5L+BC3K5eqU+BC3K5eqYroJt0:mh7c5dFK70K7N6

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
1616	tbckyxk.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\tbckyxk.exe	efafa2553943531d8cff8eba40b508a0_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1616	tbckyxk.exe
Token: SeDebugPrivilege	1200	Explorer.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 1616	2984	taskeng.exe	29
PID 2984 wrote to memory of 1616	2984	taskeng.exe	29
PID 2984 wrote to memory of 1616	2984	taskeng.exe	29
PID 2984 wrote to memory of 1616	2984	taskeng.exe	29
PID 1616 wrote to memory of 1200	1616	tbckyxk.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1200
- C:\Users\Admin\AppData\Local\Temp\efafa2553943531d8cff8eba40b508a0_NEIKI.exe
  "C:\Users\Admin\AppData\Local\Temp\efafa2553943531d8cff8eba40b508a0_NEIKI.exe"
  2⤵
  - Drops file in Program Files directory
  PID:2776

C:\Windows\system32\taskeng.exe
taskeng.exe {B5772709-C5CC-4A72-A6C8-01532A33BB5F} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2984
- C:\PROGRA~3\Mozilla\tbckyxk.exe
  C:\PROGRA~3\Mozilla\tbckyxk.exe -gqpcbye
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1616

C:\PROGRA~3\Mozilla\tbckyxk.exe

Filesize
107KB

MD5
588149069a7000593cd1c8bff5d4fa6b

SHA1
2ff7f1dab77cd84aa8ce732b73cd0b58a5298ccc

SHA256
0f62b7307b1c83ae444ea11e8c80cd9f3d1a4b1d6bf6873bda667e50e2cfc206

SHA512
c236a21a8b15cc61829081537607049ada23193a5635d4cdf8c16e0c08cc14fe243bb3536342d5753409efc8a0719e86103aecfbc07aae037895deb4bb69b98e

Download Submit
memory/1200-3-0x0000000002AF0000-0x0000000002B0C000-memory.dmp

Filesize
112KB

Download
memory/1200-5-0x0000000002AF0000-0x0000000002B0C000-memory.dmp

Filesize
112KB

Download