Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07-05-2024 22:44

General

  • Target

    5668ba9a4990b618363ce7452b13c700_NEIKI.exe

  • Size

    3.1MB

  • MD5

    5668ba9a4990b618363ce7452b13c700

  • SHA1

    35f004ac8c4330b1e3e8715f5ff9606368694065

  • SHA256

    58003668c5097e85380da3d3155e672a25c29dadf5f37110c640137c7d2b4d85

  • SHA512

    d74903722f20aaf12a6bf3a047cd61a34719b3fd0a2c857600da87eec37f71d0bd9d5fd1d87632230b80ae1589298a5cb6c8fed5916dfbea84bb9a4f17c58cfc

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bSqz8:sxX7QnxrloE5dpUpKbVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5668ba9a4990b618363ce7452b13c700_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\5668ba9a4990b618363ce7452b13c700_NEIKI.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1832
    • C:\SysDrv18\abodec.exe
      C:\SysDrv18\abodec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2008

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\LabZEF\optidevec.exe

    Filesize

    2.8MB

    MD5

    d6e3d1c4df1b8bbf8e09e29e66a23dd0

    SHA1

    b87abed5e5945595874126203a485c784a03f0c5

    SHA256

    4db54a865c9407a360c230230bb9ca1dfd11b0272fde305fd0eeda87b50343b4

    SHA512

    b2ac0b5db652471ff2042acb985fa7de94f0aac2ef4c01ab53c1e11ba29068467c5acc43dc825b75761361b215744dc08e01156fa3328192d52128ab26c1983e

  • C:\LabZEF\optidevec.exe

    Filesize

    3.1MB

    MD5

    e773c1ca72d55948251f203f3f9327ae

    SHA1

    85ffd6d208f9c9a93d812ad08f6fed180c2ca697

    SHA256

    5cb29612d2f6bc8c7238a6b61dcb60f428a8f447c62308942a1439c2dd36151c

    SHA512

    0d77ef8b5eb908be48ba174e92cd8ba79c8d6a076e18e30215220fa3d802abeff9e436aa03f5c76bcd9045c8973db46a0ca091de27fc3ef3e66918f15f576a9d

  • C:\SysDrv18\abodec.exe

    Filesize

    4KB

    MD5

    7b41954bee8856da62ef57345adc3522

    SHA1

    11b72bcd158990287c7502b2d89a500dd528be97

    SHA256

    53500f97f1743cdbbb8e20fbd873c559d502902c5b946a3bf45608d9862e2df2

    SHA512

    6ca7be3c24637b2cebe059bfaf0b67d1447edda13807cc42ee42f4d621f67bc6378b464eaa122e4a1b1a0119b9d19e5ad9d40b4adfad582ede44ce86614f7c62

  • C:\SysDrv18\abodec.exe

    Filesize

    2.8MB

    MD5

    a8138b67ce5b90646122c11a72a1469d

    SHA1

    2b438addea5b364ef2e894356cd3487405fdc3bd

    SHA256

    3a2a2345c71da4c852fab9eb36119ed9ae8246d4854152e13e4ff70f8b4a5083

    SHA512

    36dfdac6e78fb8a3ee35e1d0d845e2da800876b7949c27a1f92fb3146cb5e7cfc8c05c86b35ddc163f8b988aff848d181c87be1349886253ec57bd661fab6123

  • C:\SysDrv18\abodec.exe

    Filesize

    3.1MB

    MD5

    3e7f7b4a5be669e817e694dde3e2d756

    SHA1

    84d238d04f3f5d58b6a3d5830896a9877212c031

    SHA256

    25c1ffb9b5a76af7b252d2d9db8d6768b7877fb72b61e9ddc312fe3308c83862

    SHA512

    edb85358cb08274fb43b3221bdc967a0367d78d604b265ac37bdc64a9cdf8057256cab60db240ed9a839785d438a5dd9544532bd43a31d5fd6cf4e2aa2f6c38a

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    170B

    MD5

    db7b22e3d2d26181fdfce1eeaff33d86

    SHA1

    a15cabfcc370c7184740cc419a4a89e1154ec251

    SHA256

    26544d4aadd2c0abc0bb1cc1fa8ea414fd2123efdde00ed490bc21d2b8cf275e

    SHA512

    4953a70010d90f03cdeb214d70d9a0eeaa74a0e8986cf4c486b47b7e97ce4d2fbe25cca70cc46010fe1653209e35ba7424b8cb6d34910733530802bb2497188a

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    202B

    MD5

    acea897a5befce8dc81c0dd9599b9902

    SHA1

    69bef6dbde15907e85fd2bf5ee76447b776f3855

    SHA256

    b6d2fc6afb1555e079d13bbdca41744be5d34ffe2d4b6b1a599097aff1d2fcb8

    SHA512

    ea2f51435c37ab0d8bc9897accce46ea4b8802841584d8ead214e3ffc639c541bfefd49b999825279b719bd25b1c2625a36e28fe5cb0b3c91af177cd49968310

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

    Filesize

    1.2MB

    MD5

    211f25780a949ecc47fe103d46655355

    SHA1

    9e61828760283cbf311ef63c6da4b54bc8e38bf4

    SHA256

    03491075aed567421202b9da1912d5f0684570b8bfcfac389e16ecab234affe3

    SHA512

    425b07a8bcade19beb7d3eb2c68a5c38fac85217de4e8894bab479305438f7596b76f74008bde826ec59080a7a764188687505f6ff96e044ff9027820a3b495c

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

    Filesize

    2.8MB

    MD5

    843277c0828658a3964abf036b7dba66

    SHA1

    53d22a936f9760d9b8364c767721429f0269b54e

    SHA256

    7bad749b16d08f11ad4a7e5ec232592ae97081065eadf335a582ebe73e2d970d

    SHA512

    55d7f533a6c675338392c4648ee8408d1f896a6f0087ff7cc5ca398317b1df3f95a50924e606e393627060754200c7c29e9ff87397fc62c4e5738e0a3ad2bb30

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

    Filesize

    3.1MB

    MD5

    9955411f853ab1ebbee19d3582a71904

    SHA1

    9c340435eec8af79c99ebc3e077a52458165c6bb

    SHA256

    857051625d2b27b31eb140fbbe1d939abb5a48ae28f3e74d56c77a553fd88c92

    SHA512

    92e72d0b61670dd326474d9d3493d4b2ed02b3c19d5d8ec1b701fdcae0c978e5635075ed2426f70d3d7f0140de7e58e8c13a77a0e7550fe6d012ab51c7962457