6ed13cd098496ed202cdbb34f3aef62247b88847ef43d444ec0336c4be03a98b

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67a7e6ad2fc9257dc69883fcc0db82a0_NEIKI.exe
Size

3.0MB
MD5

67a7e6ad2fc9257dc69883fcc0db82a0
SHA1

b0814478ce7a05d003b6c062fa41c0654cb35d8b
SHA256

6ed13cd098496ed202cdbb34f3aef62247b88847ef43d444ec0336c4be03a98b
SHA512

f50a3bb574000c30cce4f813eea335bbd647cb79402898ddcc3cc2dc81e172a29c5784cd7380d4525b1dc605f548211628e9988c4239917e4d6120be2ebde09e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBtB/bSqz8:sxX7QnxrloE5dpUpibVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	67a7e6ad2fc9257dc69883fcc0db82a0_NEIKI.exe

Executes dropped EXE 2 IoCs

pid	Process
1020	sysdevopti.exe
2020	devdobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocPC\\devdobloc.exe"	67a7e6ad2fc9257dc69883fcc0db82a0_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintXJ\\dobasys.exe"	67a7e6ad2fc9257dc69883fcc0db82a0_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1672	67a7e6ad2fc9257dc69883fcc0db82a0_NEIKI.exe
1672	67a7e6ad2fc9257dc69883fcc0db82a0_NEIKI.exe
1672	67a7e6ad2fc9257dc69883fcc0db82a0_NEIKI.exe
1672	67a7e6ad2fc9257dc69883fcc0db82a0_NEIKI.exe
1020	sysdevopti.exe
1020	sysdevopti.exe
2020	devdobloc.exe
2020	devdobloc.exe
1020	sysdevopti.exe
1020	sysdevopti.exe
2020	devdobloc.exe
2020	devdobloc.exe
1020	sysdevopti.exe
1020	sysdevopti.exe
2020	devdobloc.exe
2020	devdobloc.exe
1020	sysdevopti.exe
1020	sysdevopti.exe
2020	devdobloc.exe
2020	devdobloc.exe
1020	sysdevopti.exe
1020	sysdevopti.exe
2020	devdobloc.exe
2020	devdobloc.exe
1020	sysdevopti.exe
1020	sysdevopti.exe
2020	devdobloc.exe
2020	devdobloc.exe
1020	sysdevopti.exe
1020	sysdevopti.exe
2020	devdobloc.exe
2020	devdobloc.exe
1020	sysdevopti.exe
1020	sysdevopti.exe
2020	devdobloc.exe
2020	devdobloc.exe
1020	sysdevopti.exe
1020	sysdevopti.exe
2020	devdobloc.exe
2020	devdobloc.exe
1020	sysdevopti.exe
1020	sysdevopti.exe
2020	devdobloc.exe
2020	devdobloc.exe
1020	sysdevopti.exe
1020	sysdevopti.exe
2020	devdobloc.exe
2020	devdobloc.exe
1020	sysdevopti.exe
1020	sysdevopti.exe
2020	devdobloc.exe
2020	devdobloc.exe
1020	sysdevopti.exe
1020	sysdevopti.exe
2020	devdobloc.exe
2020	devdobloc.exe
1020	sysdevopti.exe
1020	sysdevopti.exe
2020	devdobloc.exe
2020	devdobloc.exe
1020	sysdevopti.exe
1020	sysdevopti.exe
2020	devdobloc.exe
2020	devdobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1020	1672	67a7e6ad2fc9257dc69883fcc0db82a0_NEIKI.exe	91
PID 1672 wrote to memory of 1020	1672	67a7e6ad2fc9257dc69883fcc0db82a0_NEIKI.exe	91
PID 1672 wrote to memory of 1020	1672	67a7e6ad2fc9257dc69883fcc0db82a0_NEIKI.exe	91
PID 1672 wrote to memory of 2020	1672	67a7e6ad2fc9257dc69883fcc0db82a0_NEIKI.exe	94
PID 1672 wrote to memory of 2020	1672	67a7e6ad2fc9257dc69883fcc0db82a0_NEIKI.exe	94
PID 1672 wrote to memory of 2020	1672	67a7e6ad2fc9257dc69883fcc0db82a0_NEIKI.exe	94

C:\Users\Admin\AppData\Local\Temp\67a7e6ad2fc9257dc69883fcc0db82a0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\67a7e6ad2fc9257dc69883fcc0db82a0_NEIKI.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1020
- C:\IntelprocPC\devdobloc.exe
  C:\IntelprocPC\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocPC\devdobloc.exe

Filesize
3.0MB

MD5
a4c6e0bde0d61cbe81ec2c9bf72034bd

SHA1
1b3131f71a4d31806aca059f56c16a3cb407ad88

SHA256
257815b83d0c0bdaeec274e7cb4333ca0efe498f390acecc52732773bdfe94b3

SHA512
89c69e2761e466292f2de5c4f2cfc4e4e17d1bdcccf9f9eb0e3562c71899133697a4efcd831fa4b704229c72f22d17fc697ca6fda0af522db61fd19039c385cc

Download Submit
C:\MintXJ\dobasys.exe

Filesize
1.8MB

MD5
826452da44a95025aa128be9a80022a9

SHA1
ceeb444ba7e2a0cc8ae790f266db5a981629d0f4

SHA256
5ae5abcfef02c5c262e2ea4a2f941d7c6dccf08d7b0de495b8f64623cdae8ff0

SHA512
5fe6e205a9a48b72af3ad397cef59c7de47ffce82f65bc8c18226963653ef442307bae1e4b51a02251af59c5cb08b659d3537a0ad32ee98c3451329f677112c8

Download Submit
C:\MintXJ\dobasys.exe

Filesize
129KB

MD5
6753d9f85c40da2d9d1d36dcb5f2192e

SHA1
7506c69437a5b65d937a62e0f8e4179aaf814e08

SHA256
fa8d611e14e54215cb9540380976decfd780b962a67a6b84d4f197136601aea9

SHA512
de0eb48a4791799d0d0d4dbc1e8b3832df5e93f99b641a05086d65b72477898e6018a0172fbf30a7dec87e675550dae409133e4332589b3b9efffd5b0c01c2b4

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
209B

MD5
6718afb803b717e51be47c47abc05859

SHA1
b9ea2c3dd79ce3198ac9e1b57c2f02837383d2d3

SHA256
2bed8418f7ef19a351a84aae5f278ab07ec098500500a408a1ae0599b895c463

SHA512
2e37c659c6b1c1c0dc0ebd8e274b0d9a68df2460680cf871c2de5d7feb72d32aff178a241d430baca8f60861ff060f10b29b65cc66344f0077dcaf34c1764a26

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
177B

MD5
94e55d35a6c7de8363c3e30c7d1886c4

SHA1
fc107694a277881faff7288006ef073af325ed46

SHA256
4616fb104b50aea4cf38a98004be05aea2851543da9a1d46225d1e0e87e7379a

SHA512
17d2a7674d8236f6450d0e932349b019adf94f4b31ad1112f67e506aee0de21e27c1321a33591f9691d9edb70edaa092ff7ba735a97750063cb5ae0f74311a87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
3.0MB

MD5
b16f29740d7422b1bee10414b680611d

SHA1
270c07678277c8584572ec2776eadaaa58c1af8c

SHA256
8770898fc05c67f390666cc8b3c000fe97f005f970e9babd57fcaccfccac5ce0

SHA512
84fd23f075d5585bc690742479cbfac348d246e47a78cf130e590ee8ba92e7ff38d17161494481ed40c2ee597f2970ae8e3b87b4e847d8b42f2cbeda0b55365e

Download Submit