f57b9bcfe9c17e54350ca420b0f33a2ed73851a2fb29b6e8797babccf4e77851

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63b2be502314ba333d7564b6c4584e40_NEIKI.exe
Size

2.8MB
MD5

63b2be502314ba333d7564b6c4584e40
SHA1

1faa67347db582ba057ce06cf7a38218cf07ab02
SHA256

f57b9bcfe9c17e54350ca420b0f33a2ed73851a2fb29b6e8797babccf4e77851
SHA512

8cc63df8c7e2293475f35843731dda17363262827cdee3a62d517178bfd959e9884b47681040cae4bff5a100fe8fbddd6be9f9b79d7bde55ce11a8da5aebf4c6
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBoB/bSqz8:sxX7QnxrloE5dpUprbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	63b2be502314ba333d7564b6c4584e40_NEIKI.exe

Executes dropped EXE 2 IoCs

pid	Process
3000	sysxbod.exe
2844	devdobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2968	63b2be502314ba333d7564b6c4584e40_NEIKI.exe
2968	63b2be502314ba333d7564b6c4584e40_NEIKI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesKT\\devdobloc.exe"	63b2be502314ba333d7564b6c4584e40_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxMQ\\bodxsys.exe"	63b2be502314ba333d7564b6c4584e40_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2968	63b2be502314ba333d7564b6c4584e40_NEIKI.exe
2968	63b2be502314ba333d7564b6c4584e40_NEIKI.exe
3000	sysxbod.exe
2844	devdobloc.exe
3000	sysxbod.exe
2844	devdobloc.exe
3000	sysxbod.exe
2844	devdobloc.exe
3000	sysxbod.exe
2844	devdobloc.exe
3000	sysxbod.exe
2844	devdobloc.exe
3000	sysxbod.exe
2844	devdobloc.exe
3000	sysxbod.exe
2844	devdobloc.exe
3000	sysxbod.exe
2844	devdobloc.exe
3000	sysxbod.exe
2844	devdobloc.exe
3000	sysxbod.exe
2844	devdobloc.exe
3000	sysxbod.exe
2844	devdobloc.exe
3000	sysxbod.exe
2844	devdobloc.exe
3000	sysxbod.exe
2844	devdobloc.exe
3000	sysxbod.exe
2844	devdobloc.exe
3000	sysxbod.exe
2844	devdobloc.exe
3000	sysxbod.exe
2844	devdobloc.exe
3000	sysxbod.exe
2844	devdobloc.exe
3000	sysxbod.exe
2844	devdobloc.exe
3000	sysxbod.exe
2844	devdobloc.exe
3000	sysxbod.exe
2844	devdobloc.exe
3000	sysxbod.exe
2844	devdobloc.exe
3000	sysxbod.exe
2844	devdobloc.exe
3000	sysxbod.exe
2844	devdobloc.exe
3000	sysxbod.exe
2844	devdobloc.exe
3000	sysxbod.exe
2844	devdobloc.exe
3000	sysxbod.exe
2844	devdobloc.exe
3000	sysxbod.exe
2844	devdobloc.exe
3000	sysxbod.exe
2844	devdobloc.exe
3000	sysxbod.exe
2844	devdobloc.exe
3000	sysxbod.exe
2844	devdobloc.exe
3000	sysxbod.exe
2844	devdobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 3000	2968	63b2be502314ba333d7564b6c4584e40_NEIKI.exe	28
PID 2968 wrote to memory of 3000	2968	63b2be502314ba333d7564b6c4584e40_NEIKI.exe	28
PID 2968 wrote to memory of 3000	2968	63b2be502314ba333d7564b6c4584e40_NEIKI.exe	28
PID 2968 wrote to memory of 3000	2968	63b2be502314ba333d7564b6c4584e40_NEIKI.exe	28
PID 2968 wrote to memory of 2844	2968	63b2be502314ba333d7564b6c4584e40_NEIKI.exe	29
PID 2968 wrote to memory of 2844	2968	63b2be502314ba333d7564b6c4584e40_NEIKI.exe	29
PID 2968 wrote to memory of 2844	2968	63b2be502314ba333d7564b6c4584e40_NEIKI.exe	29
PID 2968 wrote to memory of 2844	2968	63b2be502314ba333d7564b6c4584e40_NEIKI.exe	29

C:\Users\Admin\AppData\Local\Temp\63b2be502314ba333d7564b6c4584e40_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\63b2be502314ba333d7564b6c4584e40_NEIKI.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3000
- C:\FilesKT\devdobloc.exe
  C:\FilesKT\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesKT\devdobloc.exe

Filesize
8KB

MD5
4f22d799849ad951d457b82eff37db75

SHA1
4e1063fe8d636bd72f9cd680c689c23c67188ea6

SHA256
6d731a85e1aa5373ae56b774f79879aaae0bf7acee2d491ffbe549dc72920948

SHA512
9906f7f210918aad8326adf8876fb1a50517812f1d6dc706f0ad6c14c9363ea1c2bdf15f1589563e9483925b76a4a315f4db9d27af6ab0674f200275d3b25f9a

Download Submit
C:\FilesKT\devdobloc.exe

Filesize
2.1MB

MD5
3242b1b5ec4d3d33a694678052d73cb6

SHA1
d09e86c57a3c70adfdd2929c9afda9483ccf6bbf

SHA256
4821f58f3dd97998a00eada428a6622801e6150fdb0bd2ba2905ec1db2e252f6

SHA512
a32aa99fd9f6f79c87ad5bf64ab753d1e56b77fd49f0c2f3967a08e78c0b24d763cd071cc584a5dde8673e6a2db2158055f50ed5f539517011da1fec5507b1a2

Download Submit
C:\FilesKT\devdobloc.exe

Filesize
448KB

MD5
f226324fef5c8a829e14c9190ee5925a

SHA1
6fb65aec2773479b7c53956c072a791d648a770c

SHA256
aa6ae7c96b8893a0c5bc7b8557ea1a3262d6ec6cbb7fe1049bc7a7bb19e09661

SHA512
6538e42b761bde05883732f4f4f706bc3275a4d7bc3b72a68feaf5614fcc56f533adbac2c8bf4b5a0790beb7c4315a8fb0cd95fb85e7a6135eb3c2e2ecf59644

Download Submit
C:\GalaxMQ\bodxsys.exe

Filesize
2.2MB

MD5
da2919255dac321df48f6c67019f9b5d

SHA1
81eb035a413a6023ee46e2733db8c0b9b45fd9ba

SHA256
09e2326ca9809d31eb3475817d8aba5d59099c8d1df6f70bcb7adf64164d17b7

SHA512
81d84ed1a6f8d22baf14966fe2648eeadbc9ab2db7f0c60ccb141ab0213330fb3ad839fc6c1e50a4ac0b670acf3c72d86658d887a95bf54364cbcf12f6305618

Download Submit
C:\GalaxMQ\bodxsys.exe

Filesize
2.2MB

MD5
c15053b93ffa58b666acef7ee1cb427f

SHA1
ecb0310aec3f67dbf4eda9afd15cf1933b883ef2

SHA256
687bf2e46b12cce73f6f5fbcc6c445113bffd1a3cc2210e436ae5629b35b1914

SHA512
9ecdd8e5dfd56349687e552e165646e0141b8b5892e017f846b1fb042eeafc62b7270d1040f7ea62ec52896de66eefd10c9aa1df583b70ab15177624233ca3e0

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
99487844447e64bda87ce703ec14ce9c

SHA1
0c0ba69f968ffda52997792c63832464f1465691

SHA256
3fd7aff0ad812570498256b960d45b8a31237b61e53671c52bfd6539645771af

SHA512
ee5047b433a7e3b993b9beca9cfbf7894f06e75c67d3174c7355a25194d64d58613065b8c903c52be6022a81a783298609e15c7d15a560ae386ca8b1443f9d43

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
31b11ef6cbb025ff251cfd343aa363f4

SHA1
945e36d0fff822ada5ae1494776519fd8698a850

SHA256
2fb78a2420e4fd8969df7b103f58d410dbda6259ebd831fce31a25f430c078fe

SHA512
a65de449089d834782fcbfadd8be4af5a14b82057d9af260318d631e605f541d4fe1811afb2138d0da631d80cfe5e12200139df058388148674f304e758bd584

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
2.3MB

MD5
e74dc3c9ea46ce7ec6961339827debaf

SHA1
b5607e12ca41192256d2c4173ac7e94a1118d833

SHA256
90526f0a0278f93a0726c1f7bb7fa17dd203996d1084e506175cff2ac3231768

SHA512
69b7fc428e74c7c8b85dd6b26984a3a0d3bdd9ee38504f20d51e87550c734dec03bb0d2381ebed75e3d19d8927212ff97ed2c06116be3371db1c34fe95e1cbf1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
2.1MB

MD5
bf947afaf19e6cc43a4ce41cf250864c

SHA1
670d9f4f2ad36c165e152d12146004b576fc974c

SHA256
0eed3d182d9285c2dbdc9b801d4186c17e398479bfd96d61a0e2017ad5f880aa

SHA512
8f2ef7e9b2971ba56127f95f14cc7885eac37b752d32b99201d5e22e8685b4b176f5c50198162cfae6f1fecb4bc2aa1b6ebeff3a56bd068932ba0ad0632ab6cf

Download Submit