aaaf401dfb8cfe7e3004968a2217065b60d246b131a79e46aa16d2cd70b746dc

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 22:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

482f471545e4327efaf6809408b51880_NEIKI.exe
Size

3.2MB
MD5

482f471545e4327efaf6809408b51880
SHA1

e52f3b7be08b4cc094a58fca18399dac36ac799b
SHA256

aaaf401dfb8cfe7e3004968a2217065b60d246b131a79e46aa16d2cd70b746dc
SHA512

32d567d37681008c0c1fbb87ba66c9a309d56d176be05371d55f8c56df98bade6d4e322c7fa5430467738ce0737b0e6951acc740e7bcdbf6142a10735dce2fef
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpbbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	482f471545e4327efaf6809408b51880_NEIKI.exe

Executes dropped EXE 2 IoCs

pid	Process
2344	locdevdob.exe
1008	devdobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesU4\\devdobsys.exe"	482f471545e4327efaf6809408b51880_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidAQ\\bodaloc.exe"	482f471545e4327efaf6809408b51880_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2932	482f471545e4327efaf6809408b51880_NEIKI.exe
2932	482f471545e4327efaf6809408b51880_NEIKI.exe
2932	482f471545e4327efaf6809408b51880_NEIKI.exe
2932	482f471545e4327efaf6809408b51880_NEIKI.exe
2344	locdevdob.exe
2344	locdevdob.exe
1008	devdobsys.exe
1008	devdobsys.exe
2344	locdevdob.exe
2344	locdevdob.exe
1008	devdobsys.exe
1008	devdobsys.exe
2344	locdevdob.exe
2344	locdevdob.exe
1008	devdobsys.exe
1008	devdobsys.exe
2344	locdevdob.exe
2344	locdevdob.exe
1008	devdobsys.exe
1008	devdobsys.exe
2344	locdevdob.exe
2344	locdevdob.exe
1008	devdobsys.exe
1008	devdobsys.exe
2344	locdevdob.exe
2344	locdevdob.exe
1008	devdobsys.exe
1008	devdobsys.exe
2344	locdevdob.exe
2344	locdevdob.exe
1008	devdobsys.exe
1008	devdobsys.exe
2344	locdevdob.exe
2344	locdevdob.exe
1008	devdobsys.exe
1008	devdobsys.exe
2344	locdevdob.exe
2344	locdevdob.exe
1008	devdobsys.exe
1008	devdobsys.exe
2344	locdevdob.exe
2344	locdevdob.exe
1008	devdobsys.exe
1008	devdobsys.exe
2344	locdevdob.exe
2344	locdevdob.exe
1008	devdobsys.exe
1008	devdobsys.exe
2344	locdevdob.exe
2344	locdevdob.exe
1008	devdobsys.exe
1008	devdobsys.exe
2344	locdevdob.exe
2344	locdevdob.exe
1008	devdobsys.exe
1008	devdobsys.exe
2344	locdevdob.exe
2344	locdevdob.exe
1008	devdobsys.exe
1008	devdobsys.exe
2344	locdevdob.exe
2344	locdevdob.exe
1008	devdobsys.exe
1008	devdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2344	2932	482f471545e4327efaf6809408b51880_NEIKI.exe	90
PID 2932 wrote to memory of 2344	2932	482f471545e4327efaf6809408b51880_NEIKI.exe	90
PID 2932 wrote to memory of 2344	2932	482f471545e4327efaf6809408b51880_NEIKI.exe	90
PID 2932 wrote to memory of 1008	2932	482f471545e4327efaf6809408b51880_NEIKI.exe	91
PID 2932 wrote to memory of 1008	2932	482f471545e4327efaf6809408b51880_NEIKI.exe	91
PID 2932 wrote to memory of 1008	2932	482f471545e4327efaf6809408b51880_NEIKI.exe	91

C:\Users\Admin\AppData\Local\Temp\482f471545e4327efaf6809408b51880_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\482f471545e4327efaf6809408b51880_NEIKI.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2344
- C:\FilesU4\devdobsys.exe
  C:\FilesU4\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesU4\devdobsys.exe

Filesize
246KB

MD5
6dad3501b4a0120e5c19b748d070c03e

SHA1
a11c9f75f2b04a963d47bad37909802e759f1208

SHA256
d1c25435d0be4b27d3a7777862fe10fe81c35e8cf499ea4d3ca2647528f0fd20

SHA512
417b594a5f0f541402a52af0370cafc0e3eee864fd4cc64d10ac06fd81d4700fba49081f52ca0879ca3d1629144290d167da4eeedf07bb4899410be7022f3382

Download Submit
C:\FilesU4\devdobsys.exe

Filesize
3.2MB

MD5
f2a1fc20ff1cacc41bee8cb9bf413682

SHA1
24bf4611bc15d3933fe9f57453fc83420578a485

SHA256
ba678e4d1b6960d2ba9aec1c49589c4c8777819c7c4b25d1372d728db7aa1a66

SHA512
3fe8e96c5a592f531aa088d9064d8c10357cc589a1277e2421b5fb07a9862549698bf90cb1d2c53c84162e8650622aaa07a8a60d643fa99bf8e179c148555ddb

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
0ba342df5cd64665eb4e4945b53d0aa8

SHA1
dd7f88b788c7d1ef17bda61c38f0b2c8c4d1f8e1

SHA256
b507ca26422d4ce05ed016f8683f450e9c00d2342dea2010e23a8728e7b6f396

SHA512
af8b602961a529da2e5811a26a0c0576c90cb43c744be02428acb782b8b57efdf8bbf8eb0f5d8d412e2d75b4c5485057873e4b8ec14087182c6cc1a6dc865e4d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
e71381afe88bc90500c6f33fa9b2bc7c

SHA1
4b206dbb71b636b4afef9d5a133ec914066be911

SHA256
823a83e5edc3bea023f87cbbc20f801f553e4e400b3c65512a821909c56f5ad2

SHA512
7cfdf75cb955ee7dcfee41a30b45621cd4cca63f3ff65552dcd08332281a6657557f5c9ca2d26ad25daa9f0daa6a7b0b52971b7efe7c84a75a352826bc1b70b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
3.2MB

MD5
03a2cffcbb342313455bbc681c491e62

SHA1
b03acd3cde282045281839eaa5bd8861de2fd804

SHA256
2639d74161a698bbc02f81ef60e8643cc291bf487da78590e9db8ecfeb177c43

SHA512
3c07d46f80b1ad3fa7640cdaed0db362eab367f09c192ca02fee93a69106aa827f0d5f2ae0f1db53b82ebc0c0bc693dd7f0c4082d3a6d6cfe24b185ffb79a867

Download Submit
C:\VidAQ\bodaloc.exe

Filesize
6KB

MD5
b646265f07f9f16a9eedf6d5027f9e3c

SHA1
a47300f0e83643f499e1b7c1be83a375a1293ac7

SHA256
d9d3e8602e7f445e99a6594bba9d12ffef0a099ea168321e788dbde80f1fe025

SHA512
403b6c7a5606ac30e67478febf3210fc1d0e88e15fcc0544f80a00e2249b9fcf6ec71a25f5e36eaa2528ba1ab9c016dc5269cd1fe3a9758317b2abf1d8553f67

Download Submit
C:\VidAQ\bodaloc.exe

Filesize
3.2MB

MD5
20e9544f86926dc803f258ceacee8c7f

SHA1
0c47c61edade38edd9db3def36e5fce7379a0ce6

SHA256
26965c1825cc9a8da2761dbc946849cc5decf1dd08c76b55236b5b819ff0d8a6

SHA512
95509c0b3f83f09f3193484c3962703ccf7b3426f76b858a26e80d7020fc958656f35575363f57bf15c73c4c5ba7be4df903892899a00fdc725262536ae15b3a

Download Submit