e50fa43532c6e030439e2d64c900809d20658d87668d5c5348220f16948b1a9e

Analysis

max time kernel
149s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45727dce66b14809567077d53cec3400_NEIKI.exe
Size

3.2MB
MD5

45727dce66b14809567077d53cec3400
SHA1

0188682ab8743ae0da9dbc58fa8a71c2074423e2
SHA256

e50fa43532c6e030439e2d64c900809d20658d87668d5c5348220f16948b1a9e
SHA512

22962fa43a18e05e54a2c47c0efd13eb3167a5665dd019e10abc61659c93021d02741aace7b1ba6c144bb122a13b61f2d5c16ccbbf71746da58c668111ec1c89
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpWbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	45727dce66b14809567077d53cec3400_NEIKI.exe

Executes dropped EXE 2 IoCs

pid	Process
3112	locdevdob.exe
2404	adobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesDJ\\adobloc.exe"	45727dce66b14809567077d53cec3400_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidK1\\dobdevloc.exe"	45727dce66b14809567077d53cec3400_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1480	45727dce66b14809567077d53cec3400_NEIKI.exe
1480	45727dce66b14809567077d53cec3400_NEIKI.exe
1480	45727dce66b14809567077d53cec3400_NEIKI.exe
1480	45727dce66b14809567077d53cec3400_NEIKI.exe
3112	locdevdob.exe
3112	locdevdob.exe
2404	adobloc.exe
2404	adobloc.exe
3112	locdevdob.exe
3112	locdevdob.exe
2404	adobloc.exe
2404	adobloc.exe
3112	locdevdob.exe
3112	locdevdob.exe
2404	adobloc.exe
2404	adobloc.exe
3112	locdevdob.exe
3112	locdevdob.exe
2404	adobloc.exe
2404	adobloc.exe
3112	locdevdob.exe
3112	locdevdob.exe
2404	adobloc.exe
2404	adobloc.exe
3112	locdevdob.exe
3112	locdevdob.exe
2404	adobloc.exe
2404	adobloc.exe
3112	locdevdob.exe
3112	locdevdob.exe
2404	adobloc.exe
2404	adobloc.exe
3112	locdevdob.exe
3112	locdevdob.exe
2404	adobloc.exe
2404	adobloc.exe
3112	locdevdob.exe
3112	locdevdob.exe
2404	adobloc.exe
2404	adobloc.exe
3112	locdevdob.exe
3112	locdevdob.exe
2404	adobloc.exe
2404	adobloc.exe
3112	locdevdob.exe
3112	locdevdob.exe
2404	adobloc.exe
2404	adobloc.exe
3112	locdevdob.exe
3112	locdevdob.exe
2404	adobloc.exe
2404	adobloc.exe
3112	locdevdob.exe
3112	locdevdob.exe
2404	adobloc.exe
2404	adobloc.exe
3112	locdevdob.exe
3112	locdevdob.exe
2404	adobloc.exe
2404	adobloc.exe
3112	locdevdob.exe
3112	locdevdob.exe
2404	adobloc.exe
2404	adobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 3112	1480	45727dce66b14809567077d53cec3400_NEIKI.exe	89
PID 1480 wrote to memory of 3112	1480	45727dce66b14809567077d53cec3400_NEIKI.exe	89
PID 1480 wrote to memory of 3112	1480	45727dce66b14809567077d53cec3400_NEIKI.exe	89
PID 1480 wrote to memory of 2404	1480	45727dce66b14809567077d53cec3400_NEIKI.exe	90
PID 1480 wrote to memory of 2404	1480	45727dce66b14809567077d53cec3400_NEIKI.exe	90
PID 1480 wrote to memory of 2404	1480	45727dce66b14809567077d53cec3400_NEIKI.exe	90

C:\Users\Admin\AppData\Local\Temp\45727dce66b14809567077d53cec3400_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\45727dce66b14809567077d53cec3400_NEIKI.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3112
- C:\FilesDJ\adobloc.exe
  C:\FilesDJ\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesDJ\adobloc.exe

Filesize
177KB

MD5
305ae6bd1e14b9d5fe4529c9526cbcd2

SHA1
b27f323de9d7187f2f0404748582a0d8f7355b5b

SHA256
af339106aa6e197389800858c1a2c7adaa21e0c29bec7a43fdf7ff2d1f37be2b

SHA512
3c90a35ed844019bda1da1ed31320e7d55b697b6ae27c17efa0fd74e8a1daaf38cdc8bd9416008326a363cecc1ee076f0ad7f64310a574b656b418058ef3e3bf

Download Submit
C:\FilesDJ\adobloc.exe

Filesize
3.2MB

MD5
3c7a16ce5fb4f554aaff18da555e1953

SHA1
d9646ffd8898dba2f93fb2771a842213614c81c5

SHA256
0f7e2b7b0cdb227c97714fa9bbbd3b2ff60372d48f37c2509422d5953860e2e8

SHA512
5b57a59432d62f6445f71a317b2406eafdcd05c4e5fdcf79168299096413ef2b66b0a1a88d90dd26068a31f7af4baa3712a1e18879ca13e1c9c7c9bd700f1fac

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
3fa7d2f77b735347391cf427d33986d7

SHA1
b12e7c2869b39158c5e22154f7458f77bd10ddbd

SHA256
796b03a696689a82319da1a060f9789733301b714c053bfcea9eef685503317f

SHA512
a9af9f6adeac8627312d4bfc43d4705c97b000c2b2da1a9a9aeed9e49afebfdfa8b398edd226ac43278d8bc4e5f770d6a2ddcfa7881398fc5265d2d609337f3a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
2316e4e27e3f8cb9617f164df93438c7

SHA1
ed07479aee986c72e5bcfd450832992c8081d97e

SHA256
d5c86443b2a5a4f457b4766f6b28cb976daf499ee725e05f267d3efe5a5cf805

SHA512
c9091cfbc08f58e1d350a52906c48a5a2021811206ca6ba0af5d4570c085a7a1448ffc6d0490536e9a0062f8141e44a2650c985801635e4d443786c168a399e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
3.2MB

MD5
9b85a25522f082fa671ab3de71020fa9

SHA1
e8c62e6bbc0605bd53634e20cef280fab8ee1406

SHA256
e869b3c10a468b19687baa4d0cc2f7e07482154de930ca1ff1a16ff1aa4207f7

SHA512
4ff8a102b3f312ad3c5fcc092d1dbcc3a3f39f772ac351e389ab973d340e237da33792ccc79623b69a08dec306f084bb8e0056a9d2c4b0fd1af3c65c79c0ed9b

Download Submit
C:\VidK1\dobdevloc.exe

Filesize
3.2MB

MD5
f80baa454e717f61095d3e4bac2bca06

SHA1
3365e62f4008e74943f707891d25deb1532f1824

SHA256
65a0f5203a38af153b54dbe7e050dd0e313d301ff0baa0182469af3309c7dc48

SHA512
0e6f2fd19879a38ff44469f6452bdf2e5da5f6877a3dcf998f97ab48520c7c532ce129eb9bee069ad94c554d3a8d06b7eff62560ce9875896688359d5536a7a7

Download Submit
C:\VidK1\dobdevloc.exe

Filesize
720KB

MD5
ef6b315516dbfa32d44bdbe3c70a0727

SHA1
7a11673a94eaa0b878929d938746108ad55e9b4f

SHA256
cdec74d6602fcf348a233c509b9cf4721f01f4ec84f1f9a306bc54ccdbecbac1

SHA512
6bcc639e1536d589856b90891f8030a410185e72c1b5ae4be4469539092085c3478a76eda2c0858b838ae603f50fd7f688a945a8545c3c9b59de5f5e91f54eb2

Download Submit