e50fa43532c6e030439e2d64c900809d20658d87668d5c5348220f16948b1a9e

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
07/05/2024, 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45727dce66b14809567077d53cec3400_NEIKI.exe
Size

3.2MB
MD5

45727dce66b14809567077d53cec3400
SHA1

0188682ab8743ae0da9dbc58fa8a71c2074423e2
SHA256

e50fa43532c6e030439e2d64c900809d20658d87668d5c5348220f16948b1a9e
SHA512

22962fa43a18e05e54a2c47c0efd13eb3167a5665dd019e10abc61659c93021d02741aace7b1ba6c144bb122a13b61f2d5c16ccbbf71746da58c668111ec1c89
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpWbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	45727dce66b14809567077d53cec3400_NEIKI.exe

Executes dropped EXE 2 IoCs

pid	Process
2572	ecdevbod.exe
2636	xoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
2208	45727dce66b14809567077d53cec3400_NEIKI.exe
2208	45727dce66b14809567077d53cec3400_NEIKI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotGO\\xoptisys.exe"	45727dce66b14809567077d53cec3400_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZIG\\dobdevec.exe"	45727dce66b14809567077d53cec3400_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2208	45727dce66b14809567077d53cec3400_NEIKI.exe
2208	45727dce66b14809567077d53cec3400_NEIKI.exe
2572	ecdevbod.exe
2636	xoptisys.exe
2572	ecdevbod.exe
2636	xoptisys.exe
2572	ecdevbod.exe
2636	xoptisys.exe
2572	ecdevbod.exe
2636	xoptisys.exe
2572	ecdevbod.exe
2636	xoptisys.exe
2572	ecdevbod.exe
2636	xoptisys.exe
2572	ecdevbod.exe
2636	xoptisys.exe
2572	ecdevbod.exe
2636	xoptisys.exe
2572	ecdevbod.exe
2636	xoptisys.exe
2572	ecdevbod.exe
2636	xoptisys.exe
2572	ecdevbod.exe
2636	xoptisys.exe
2572	ecdevbod.exe
2636	xoptisys.exe
2572	ecdevbod.exe
2636	xoptisys.exe
2572	ecdevbod.exe
2636	xoptisys.exe
2572	ecdevbod.exe
2636	xoptisys.exe
2572	ecdevbod.exe
2636	xoptisys.exe
2572	ecdevbod.exe
2636	xoptisys.exe
2572	ecdevbod.exe
2636	xoptisys.exe
2572	ecdevbod.exe
2636	xoptisys.exe
2572	ecdevbod.exe
2636	xoptisys.exe
2572	ecdevbod.exe
2636	xoptisys.exe
2572	ecdevbod.exe
2636	xoptisys.exe
2572	ecdevbod.exe
2636	xoptisys.exe
2572	ecdevbod.exe
2636	xoptisys.exe
2572	ecdevbod.exe
2636	xoptisys.exe
2572	ecdevbod.exe
2636	xoptisys.exe
2572	ecdevbod.exe
2636	xoptisys.exe
2572	ecdevbod.exe
2636	xoptisys.exe
2572	ecdevbod.exe
2636	xoptisys.exe
2572	ecdevbod.exe
2636	xoptisys.exe
2572	ecdevbod.exe
2636	xoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2572	2208	45727dce66b14809567077d53cec3400_NEIKI.exe	28
PID 2208 wrote to memory of 2572	2208	45727dce66b14809567077d53cec3400_NEIKI.exe	28
PID 2208 wrote to memory of 2572	2208	45727dce66b14809567077d53cec3400_NEIKI.exe	28
PID 2208 wrote to memory of 2572	2208	45727dce66b14809567077d53cec3400_NEIKI.exe	28
PID 2208 wrote to memory of 2636	2208	45727dce66b14809567077d53cec3400_NEIKI.exe	29
PID 2208 wrote to memory of 2636	2208	45727dce66b14809567077d53cec3400_NEIKI.exe	29
PID 2208 wrote to memory of 2636	2208	45727dce66b14809567077d53cec3400_NEIKI.exe	29
PID 2208 wrote to memory of 2636	2208	45727dce66b14809567077d53cec3400_NEIKI.exe	29

C:\Users\Admin\AppData\Local\Temp\45727dce66b14809567077d53cec3400_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\45727dce66b14809567077d53cec3400_NEIKI.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2572
- C:\UserDotGO\xoptisys.exe
  C:\UserDotGO\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZIG\dobdevec.exe

Filesize
2.1MB

MD5
f3868168ee6a64559e0db3a5a419cc23

SHA1
8e3fcc2f3536ce8fc4ef86833a425d0a088583e0

SHA256
fcdc19fd58d2d8fffa6411ebbb7320a5ffbb5765faf7c5762a220bb024f67d45

SHA512
acbff08015e12452f2a1845873fdefc0d323716edc56bc0c7aaa75aa0be236d0a2cedbf6dbb3929c880c64670eadf1f6f672baef4d5d736c10bdbc412648d44f

Download Submit
C:\LabZIG\dobdevec.exe

Filesize
3.2MB

MD5
8faf7f3a8567f08677df1a8145e17bb7

SHA1
c61ca281e089f0ebcb19090c34fc0fcc2736f5df

SHA256
7cffddec19c98ceea88c658270e7b2013334e16f267fd2b2ccb2bbabfce55fbf

SHA512
0146947e28d8848c1a90a60de92d357b3da568654df709818434dd6434fb63e7cc4749ec4324951f693316ced7c02d0c10bfdbd02fce0f746f11b6804b3adaf0

Download Submit
C:\UserDotGO\xoptisys.exe

Filesize
3.2MB

MD5
089e0629bb712fbf36b4760a97c7ad5a

SHA1
05225d53d9e31e47b312ff8d6eb761ee3598644b

SHA256
0e57723f07fa2de11926f4c1480679258012bdbad559f4eeca9d1acf2164010d

SHA512
1b806ba5691a2163c293d13c061d2a49904b4b2afefbe16cb835aa0160cc47136711baa00a9e2b8f787605f78f3fa1219f0d4e476863d3bd5315d8041af55564

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
9bfbc6d2826e78b9a9e3c698b41c4eb4

SHA1
6157d2f439aa0202ed55553f23f8550b9586a6b3

SHA256
51a5f53824564b55b02e2c5eb5c2d453144570f2078d48fc2c8c2023bd1c704c

SHA512
42300da1fe64096ea3cf4a8b8b63cf6a97c6c988a31ad34b0badd2b60a94b8a20a63ec447527cf7089b5ab29809b8c5a0094dbcae5e4bfbdaf43f4c4af08d501

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
2e7b6742ca4680500d0c16e8afad1e2d

SHA1
5b2b6344d1f5688530fbe3991bd0c2fc3538d426

SHA256
d88995a62589409c950d6bd890c59df728bdbdd23fd6d9f8ba98aaca5d8503fe

SHA512
9a08035775bd6e10aa6caf98c487c95ee7e45ded1df493262abdfc8d183f2181bcd5b3ff250869406364c48c7a08bee70464f01348216183b17c0b65c599990e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
3.2MB

MD5
087b089bb88184ae0b3454d00302fee3

SHA1
30477688d5187ab31b51fb5ba7813ddac2c204cb

SHA256
50e69cd298c98df78f4445915cae13a55756383d8fc1b1391c52f90029e14e88

SHA512
4ac300c532b4f790aa99c40869ff6f936632e8256bdab30d8e846f3655abc0bbf7da17d882858ea010c087953a746f4b65be823752b7377b63429062e351f809

Download Submit