c11cfbdffbfbf7a25d5981823fae03cb15f9cd021c3d36dbfb1b9716e1e1bb9c

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0008c198af16bc9b963ec8d58ab63980_NEIKI.exe
Size

229KB
MD5

0008c198af16bc9b963ec8d58ab63980
SHA1

7d8bf86234da4082762d8c60223a2c6a1a4e8487
SHA256

c11cfbdffbfbf7a25d5981823fae03cb15f9cd021c3d36dbfb1b9716e1e1bb9c
SHA512

82990a2b4e5a7c8398d89e32a516051a5d3bda575b86115c8bba50b8ec493ddc42c2c490b01a98a374b5868aee26ff3822640aaaf462e648095ae74267d3e095
SSDEEP

3072:oTNkXHfvl0awuW22s1z/7zLou7YPUpUld9tSMsCNjqaoMrV2eEwSXsH7:o2fvloM1T7r7YMpRBMVf

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2672	zketugg.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\zketugg.exe	0008c198af16bc9b963ec8d58ab63980_NEIKI.exe
File created	C:\PROGRA~3\Mozilla\hbibisc.dll	zketugg.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2400	0008c198af16bc9b963ec8d58ab63980_NEIKI.exe
2672	zketugg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 2672	2584	taskeng.exe	29
PID 2584 wrote to memory of 2672	2584	taskeng.exe	29
PID 2584 wrote to memory of 2672	2584	taskeng.exe	29
PID 2584 wrote to memory of 2672	2584	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\0008c198af16bc9b963ec8d58ab63980_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\0008c198af16bc9b963ec8d58ab63980_NEIKI.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2400

C:\Windows\system32\taskeng.exe
taskeng.exe {0B367310-ECC3-4339-8FE1-630B6EF73671} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2584
- C:\PROGRA~3\Mozilla\zketugg.exe
  C:\PROGRA~3\Mozilla\zketugg.exe -bsvwzxb
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\zketugg.exe

Filesize
229KB

MD5
2eb382304d8d1255d9323d7720343718

SHA1
a9678b66e08e7e67a5419761ff3df0dd9646341d

SHA256
5357387ff97bd630b0935301eb26ee8bb2f9d02494c87e937a8c0d0ff2debce1

SHA512
7d6de586878da552592dc9397577f50c64830b1fc7f6e8039e2f01ea17cea0eb727452e2ae3b1be4cd0895baf0b5192e184f720216797e9ce5d1a8bd735cdf50

Download Submit
memory/2400-0-0x0000000000460000-0x00000000004BB000-memory.dmp

Filesize
364KB

Download
memory/2400-1-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2400-3-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2400-4-0x0000000000460000-0x00000000004BB000-memory.dmp

Filesize
364KB

Download
memory/2672-7-0x00000000008A0000-0x00000000008FB000-memory.dmp

Filesize
364KB

Download
memory/2672-8-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2672-10-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download