Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 22:44
Static task
static1
Behavioral task
behavioral1
Sample
5668ba9a4990b618363ce7452b13c700_NEIKI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5668ba9a4990b618363ce7452b13c700_NEIKI.exe
Resource
win10v2004-20240426-en
General
-
Target
5668ba9a4990b618363ce7452b13c700_NEIKI.exe
-
Size
3.1MB
-
MD5
5668ba9a4990b618363ce7452b13c700
-
SHA1
35f004ac8c4330b1e3e8715f5ff9606368694065
-
SHA256
58003668c5097e85380da3d3155e672a25c29dadf5f37110c640137c7d2b4d85
-
SHA512
d74903722f20aaf12a6bf3a047cd61a34719b3fd0a2c857600da87eec37f71d0bd9d5fd1d87632230b80ae1589298a5cb6c8fed5916dfbea84bb9a4f17c58cfc
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bSqz8:sxX7QnxrloE5dpUpKbVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe 5668ba9a4990b618363ce7452b13c700_NEIKI.exe -
Executes dropped EXE 2 IoCs
pid Process 1832 locxbod.exe 2008 abodec.exe -
Loads dropped DLL 2 IoCs
pid Process 1948 5668ba9a4990b618363ce7452b13c700_NEIKI.exe 1948 5668ba9a4990b618363ce7452b13c700_NEIKI.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv18\\abodec.exe" 5668ba9a4990b618363ce7452b13c700_NEIKI.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZEF\\optidevec.exe" 5668ba9a4990b618363ce7452b13c700_NEIKI.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1948 5668ba9a4990b618363ce7452b13c700_NEIKI.exe 1948 5668ba9a4990b618363ce7452b13c700_NEIKI.exe 1832 locxbod.exe 2008 abodec.exe 1832 locxbod.exe 2008 abodec.exe 1832 locxbod.exe 2008 abodec.exe 1832 locxbod.exe 2008 abodec.exe 1832 locxbod.exe 2008 abodec.exe 1832 locxbod.exe 2008 abodec.exe 1832 locxbod.exe 2008 abodec.exe 1832 locxbod.exe 2008 abodec.exe 1832 locxbod.exe 2008 abodec.exe 1832 locxbod.exe 2008 abodec.exe 1832 locxbod.exe 2008 abodec.exe 1832 locxbod.exe 2008 abodec.exe 1832 locxbod.exe 2008 abodec.exe 1832 locxbod.exe 2008 abodec.exe 1832 locxbod.exe 2008 abodec.exe 1832 locxbod.exe 2008 abodec.exe 1832 locxbod.exe 2008 abodec.exe 1832 locxbod.exe 2008 abodec.exe 1832 locxbod.exe 2008 abodec.exe 1832 locxbod.exe 2008 abodec.exe 1832 locxbod.exe 2008 abodec.exe 1832 locxbod.exe 2008 abodec.exe 1832 locxbod.exe 2008 abodec.exe 1832 locxbod.exe 2008 abodec.exe 1832 locxbod.exe 2008 abodec.exe 1832 locxbod.exe 2008 abodec.exe 1832 locxbod.exe 2008 abodec.exe 1832 locxbod.exe 2008 abodec.exe 1832 locxbod.exe 2008 abodec.exe 1832 locxbod.exe 2008 abodec.exe 1832 locxbod.exe 2008 abodec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1948 wrote to memory of 1832 1948 5668ba9a4990b618363ce7452b13c700_NEIKI.exe 28 PID 1948 wrote to memory of 1832 1948 5668ba9a4990b618363ce7452b13c700_NEIKI.exe 28 PID 1948 wrote to memory of 1832 1948 5668ba9a4990b618363ce7452b13c700_NEIKI.exe 28 PID 1948 wrote to memory of 1832 1948 5668ba9a4990b618363ce7452b13c700_NEIKI.exe 28 PID 1948 wrote to memory of 2008 1948 5668ba9a4990b618363ce7452b13c700_NEIKI.exe 29 PID 1948 wrote to memory of 2008 1948 5668ba9a4990b618363ce7452b13c700_NEIKI.exe 29 PID 1948 wrote to memory of 2008 1948 5668ba9a4990b618363ce7452b13c700_NEIKI.exe 29 PID 1948 wrote to memory of 2008 1948 5668ba9a4990b618363ce7452b13c700_NEIKI.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\5668ba9a4990b618363ce7452b13c700_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\5668ba9a4990b618363ce7452b13c700_NEIKI.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1832
-
-
C:\SysDrv18\abodec.exeC:\SysDrv18\abodec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2008
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD5d6e3d1c4df1b8bbf8e09e29e66a23dd0
SHA1b87abed5e5945595874126203a485c784a03f0c5
SHA2564db54a865c9407a360c230230bb9ca1dfd11b0272fde305fd0eeda87b50343b4
SHA512b2ac0b5db652471ff2042acb985fa7de94f0aac2ef4c01ab53c1e11ba29068467c5acc43dc825b75761361b215744dc08e01156fa3328192d52128ab26c1983e
-
Filesize
3.1MB
MD5e773c1ca72d55948251f203f3f9327ae
SHA185ffd6d208f9c9a93d812ad08f6fed180c2ca697
SHA2565cb29612d2f6bc8c7238a6b61dcb60f428a8f447c62308942a1439c2dd36151c
SHA5120d77ef8b5eb908be48ba174e92cd8ba79c8d6a076e18e30215220fa3d802abeff9e436aa03f5c76bcd9045c8973db46a0ca091de27fc3ef3e66918f15f576a9d
-
Filesize
4KB
MD57b41954bee8856da62ef57345adc3522
SHA111b72bcd158990287c7502b2d89a500dd528be97
SHA25653500f97f1743cdbbb8e20fbd873c559d502902c5b946a3bf45608d9862e2df2
SHA5126ca7be3c24637b2cebe059bfaf0b67d1447edda13807cc42ee42f4d621f67bc6378b464eaa122e4a1b1a0119b9d19e5ad9d40b4adfad582ede44ce86614f7c62
-
Filesize
2.8MB
MD5a8138b67ce5b90646122c11a72a1469d
SHA12b438addea5b364ef2e894356cd3487405fdc3bd
SHA2563a2a2345c71da4c852fab9eb36119ed9ae8246d4854152e13e4ff70f8b4a5083
SHA51236dfdac6e78fb8a3ee35e1d0d845e2da800876b7949c27a1f92fb3146cb5e7cfc8c05c86b35ddc163f8b988aff848d181c87be1349886253ec57bd661fab6123
-
Filesize
3.1MB
MD53e7f7b4a5be669e817e694dde3e2d756
SHA184d238d04f3f5d58b6a3d5830896a9877212c031
SHA25625c1ffb9b5a76af7b252d2d9db8d6768b7877fb72b61e9ddc312fe3308c83862
SHA512edb85358cb08274fb43b3221bdc967a0367d78d604b265ac37bdc64a9cdf8057256cab60db240ed9a839785d438a5dd9544532bd43a31d5fd6cf4e2aa2f6c38a
-
Filesize
170B
MD5db7b22e3d2d26181fdfce1eeaff33d86
SHA1a15cabfcc370c7184740cc419a4a89e1154ec251
SHA25626544d4aadd2c0abc0bb1cc1fa8ea414fd2123efdde00ed490bc21d2b8cf275e
SHA5124953a70010d90f03cdeb214d70d9a0eeaa74a0e8986cf4c486b47b7e97ce4d2fbe25cca70cc46010fe1653209e35ba7424b8cb6d34910733530802bb2497188a
-
Filesize
202B
MD5acea897a5befce8dc81c0dd9599b9902
SHA169bef6dbde15907e85fd2bf5ee76447b776f3855
SHA256b6d2fc6afb1555e079d13bbdca41744be5d34ffe2d4b6b1a599097aff1d2fcb8
SHA512ea2f51435c37ab0d8bc9897accce46ea4b8802841584d8ead214e3ffc639c541bfefd49b999825279b719bd25b1c2625a36e28fe5cb0b3c91af177cd49968310
-
Filesize
1.2MB
MD5211f25780a949ecc47fe103d46655355
SHA19e61828760283cbf311ef63c6da4b54bc8e38bf4
SHA25603491075aed567421202b9da1912d5f0684570b8bfcfac389e16ecab234affe3
SHA512425b07a8bcade19beb7d3eb2c68a5c38fac85217de4e8894bab479305438f7596b76f74008bde826ec59080a7a764188687505f6ff96e044ff9027820a3b495c
-
Filesize
2.8MB
MD5843277c0828658a3964abf036b7dba66
SHA153d22a936f9760d9b8364c767721429f0269b54e
SHA2567bad749b16d08f11ad4a7e5ec232592ae97081065eadf335a582ebe73e2d970d
SHA51255d7f533a6c675338392c4648ee8408d1f896a6f0087ff7cc5ca398317b1df3f95a50924e606e393627060754200c7c29e9ff87397fc62c4e5738e0a3ad2bb30
-
Filesize
3.1MB
MD59955411f853ab1ebbee19d3582a71904
SHA19c340435eec8af79c99ebc3e077a52458165c6bb
SHA256857051625d2b27b31eb140fbbe1d939abb5a48ae28f3e74d56c77a553fd88c92
SHA51292e72d0b61670dd326474d9d3493d4b2ed02b3c19d5d8ec1b701fdcae0c978e5635075ed2426f70d3d7f0140de7e58e8c13a77a0e7550fe6d012ab51c7962457