98aa288c8e151aa1c4ee3a8a27576a461ce3a35529c8163554e43e9daa9cf565

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 21:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

435a65ed96226c675cab76b1a000a0d0_NEIKI.exe
Size

2.6MB
MD5

435a65ed96226c675cab76b1a000a0d0
SHA1

f2784486cfbb90393f6903f00de28ee1880b7903
SHA256

98aa288c8e151aa1c4ee3a8a27576a461ce3a35529c8163554e43e9daa9cf565
SHA512

59c4d0c5afa9eb0435fa3b4ba9108a73dbb27f9ee7e3979f42e13fa91e8ff67f4968572982e0bd5e23612fefca66f1e2bd20e3e29bdfe83ea2226b31b815acf8
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBBB/bS:sxX7QnxrloE5dpUpyb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	435a65ed96226c675cab76b1a000a0d0_NEIKI.exe

Executes dropped EXE 2 IoCs

pid	Process
1052	sysabod.exe
3368	xdobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files0F\\xdobsys.exe"	435a65ed96226c675cab76b1a000a0d0_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax45\\boddevsys.exe"	435a65ed96226c675cab76b1a000a0d0_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3468	435a65ed96226c675cab76b1a000a0d0_NEIKI.exe
3468	435a65ed96226c675cab76b1a000a0d0_NEIKI.exe
3468	435a65ed96226c675cab76b1a000a0d0_NEIKI.exe
3468	435a65ed96226c675cab76b1a000a0d0_NEIKI.exe
1052	sysabod.exe
1052	sysabod.exe
3368	xdobsys.exe
3368	xdobsys.exe
1052	sysabod.exe
1052	sysabod.exe
3368	xdobsys.exe
3368	xdobsys.exe
1052	sysabod.exe
1052	sysabod.exe
3368	xdobsys.exe
3368	xdobsys.exe
1052	sysabod.exe
1052	sysabod.exe
3368	xdobsys.exe
3368	xdobsys.exe
1052	sysabod.exe
1052	sysabod.exe
3368	xdobsys.exe
3368	xdobsys.exe
1052	sysabod.exe
1052	sysabod.exe
3368	xdobsys.exe
3368	xdobsys.exe
1052	sysabod.exe
1052	sysabod.exe
3368	xdobsys.exe
3368	xdobsys.exe
1052	sysabod.exe
1052	sysabod.exe
3368	xdobsys.exe
3368	xdobsys.exe
1052	sysabod.exe
1052	sysabod.exe
3368	xdobsys.exe
3368	xdobsys.exe
1052	sysabod.exe
1052	sysabod.exe
3368	xdobsys.exe
3368	xdobsys.exe
1052	sysabod.exe
1052	sysabod.exe
3368	xdobsys.exe
3368	xdobsys.exe
1052	sysabod.exe
1052	sysabod.exe
3368	xdobsys.exe
3368	xdobsys.exe
1052	sysabod.exe
1052	sysabod.exe
3368	xdobsys.exe
3368	xdobsys.exe
1052	sysabod.exe
1052	sysabod.exe
3368	xdobsys.exe
3368	xdobsys.exe
1052	sysabod.exe
1052	sysabod.exe
3368	xdobsys.exe
3368	xdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 1052	3468	435a65ed96226c675cab76b1a000a0d0_NEIKI.exe	91
PID 3468 wrote to memory of 1052	3468	435a65ed96226c675cab76b1a000a0d0_NEIKI.exe	91
PID 3468 wrote to memory of 1052	3468	435a65ed96226c675cab76b1a000a0d0_NEIKI.exe	91
PID 3468 wrote to memory of 3368	3468	435a65ed96226c675cab76b1a000a0d0_NEIKI.exe	92
PID 3468 wrote to memory of 3368	3468	435a65ed96226c675cab76b1a000a0d0_NEIKI.exe	92
PID 3468 wrote to memory of 3368	3468	435a65ed96226c675cab76b1a000a0d0_NEIKI.exe	92

C:\Users\Admin\AppData\Local\Temp\435a65ed96226c675cab76b1a000a0d0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\435a65ed96226c675cab76b1a000a0d0_NEIKI.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1052
- C:\Files0F\xdobsys.exe
  C:\Files0F\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files0F\xdobsys.exe

Filesize
1.4MB

MD5
72a8e39ed1f4ac5fc5353adbce4cd190

SHA1
d4230298029d69c1bc1b98cb550419f1dbbf9280

SHA256
e884fe9a3a02474c8cafcf153bb14ecf385f0a01682b205ef81b256abf734bb1

SHA512
7c5909fbb2bbe577018e77d7c836b38a4cb4799277a45e1c07415ecc110bf4a995d9d613cbff8b8b1a34436ea05dfe3210cbc45b49a64bf2b34659e7125aa86f

Download Submit
C:\Files0F\xdobsys.exe

Filesize
2.6MB

MD5
f3564e9ac7f5b3971bef96ae52a70a04

SHA1
d026b7d94d750596a5ddf3cad95a314f8d1c0e40

SHA256
74f11dd126d43867e1bf6698397f8862316b0d11a1c39549c4198e702aa2e14b

SHA512
cc76bed702e319596d1570a84bebba87bb0d4aab17d04f8d9735f68096f7d661b3d7f82f44f0c225db1ff0a61d2364cad870f859a2a5e8e7bdd756c00e062a01

Download Submit
C:\Galax45\boddevsys.exe

Filesize
1.4MB

MD5
d94cc8ca831e438b3d6e81ca56659fcb

SHA1
11f618a89614c7cc31896335970861eda7a9903f

SHA256
0934088a2d97b1da54bdbe6eb4e88ba4b899c36ae57ae8a916ed0e41d543ca94

SHA512
366585449d5edf0a1ae7a269be4dbb33b702432d7d851d079c4428d4e77006fb697c933f71d2756efb2639d85a6d9028a6dfcb88ec8a0e2bc534e62ed93bcf0c

Download Submit
C:\Galax45\boddevsys.exe

Filesize
107KB

MD5
72ba504f48caafe4654328ff5d6414fa

SHA1
d8ca8d9c5cf9f1d4258df25f762cfdf0f50268be

SHA256
cfe9c8adb349f35ef0cbab74b3966ef17e157821e916dfdb29e212f4e2fcc1a8

SHA512
6860c24852ce29ca80333f325adf4c2cd680bb8afcf73c70e96f9df56fac49494758d1c6514fecce60fe297a791d052cfaf20e541b81589ce30d8127b59c2a0f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
f1ec1aabde4ce1b47ea7dbdb16e5c789

SHA1
a3098ead576db49c6f83a9017286dbb44166954f

SHA256
6c034952b5a477fa78742cc709edd2ec94a135595d5c303d5193d918e6271334

SHA512
1932f841e42fce34ce1f813ff74fcfcc1d75d384fe813c9def74265933de54a528967cb48b03bd6c122262715ce3a549713574cb2214695990a9896efc7b77d0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
23027bd17d91ce4509830941ad81482a

SHA1
765a0f8a964f3abb1d521b58aaa9237af0461927

SHA256
7957a14e57ea8dcf34764f86fc146ba12d111087d8ea0287060091bc2b6418e4

SHA512
47311c7fbb5c9ab6d4db0687efaf7c77739302ab91ebbbc600c7ed2d8368e78e01c73eef635d014522012b1fc712bb560ee8c74e88ac5ec68ec19f4db5f91188

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
2.6MB

MD5
0a8d6923f1bc6791be10837d59315950

SHA1
454fd65c1e697767dfce7c8d6d1fd90ef258c108

SHA256
73a272d35a01dd8504b11e6d184fd08361861d37600c37da8a44f4bfdb12c035

SHA512
52b8e0accab93b435f508e0ea180485c9e5f8b485a78a0854856fadda18bd1748a8daa1da8c207b769ed34c90ac5f578827331652e8a18fe5a468e90d5835e54

Download Submit