223bcf37d426b94a7684f59a508ac57247042745fd1ce8a2c83f31d9d6803a4f

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/05/2024, 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

691cb4fba9fdb249dd3194d5d417f9e0_NEIKI.exe
Size

4.0MB
MD5

691cb4fba9fdb249dd3194d5d417f9e0
SHA1

4fec2a41a765bdc7a1df9610b121a32012b5bd62
SHA256

223bcf37d426b94a7684f59a508ac57247042745fd1ce8a2c83f31d9d6803a4f
SHA512

4bdd133a0ad360af4bcd910c0cdccced8207da9c5e09f9d029f12cf2488f78d5bc989e606304d8dec5a3d55bc0230fa9588df109a86312460bacd441d712c513
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpLbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	691cb4fba9fdb249dd3194d5d417f9e0_NEIKI.exe

Executes dropped EXE 2 IoCs

pid	Process
2176	sysxbod.exe
2472	devoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1040	691cb4fba9fdb249dd3194d5d417f9e0_NEIKI.exe
1040	691cb4fba9fdb249dd3194d5d417f9e0_NEIKI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBFL\\dobxloc.exe"	691cb4fba9fdb249dd3194d5d417f9e0_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeSO\\devoptiloc.exe"	691cb4fba9fdb249dd3194d5d417f9e0_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1040	691cb4fba9fdb249dd3194d5d417f9e0_NEIKI.exe
1040	691cb4fba9fdb249dd3194d5d417f9e0_NEIKI.exe
2176	sysxbod.exe
2472	devoptiloc.exe
2176	sysxbod.exe
2472	devoptiloc.exe
2176	sysxbod.exe
2472	devoptiloc.exe
2176	sysxbod.exe
2472	devoptiloc.exe
2176	sysxbod.exe
2472	devoptiloc.exe
2176	sysxbod.exe
2472	devoptiloc.exe
2176	sysxbod.exe
2472	devoptiloc.exe
2176	sysxbod.exe
2472	devoptiloc.exe
2176	sysxbod.exe
2472	devoptiloc.exe
2176	sysxbod.exe
2472	devoptiloc.exe
2176	sysxbod.exe
2472	devoptiloc.exe
2176	sysxbod.exe
2472	devoptiloc.exe
2176	sysxbod.exe
2472	devoptiloc.exe
2176	sysxbod.exe
2472	devoptiloc.exe
2176	sysxbod.exe
2472	devoptiloc.exe
2176	sysxbod.exe
2472	devoptiloc.exe
2176	sysxbod.exe
2472	devoptiloc.exe
2176	sysxbod.exe
2472	devoptiloc.exe
2176	sysxbod.exe
2472	devoptiloc.exe
2176	sysxbod.exe
2472	devoptiloc.exe
2176	sysxbod.exe
2472	devoptiloc.exe
2176	sysxbod.exe
2472	devoptiloc.exe
2176	sysxbod.exe
2472	devoptiloc.exe
2176	sysxbod.exe
2472	devoptiloc.exe
2176	sysxbod.exe
2472	devoptiloc.exe
2176	sysxbod.exe
2472	devoptiloc.exe
2176	sysxbod.exe
2472	devoptiloc.exe
2176	sysxbod.exe
2472	devoptiloc.exe
2176	sysxbod.exe
2472	devoptiloc.exe
2176	sysxbod.exe
2472	devoptiloc.exe
2176	sysxbod.exe
2472	devoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 2176	1040	691cb4fba9fdb249dd3194d5d417f9e0_NEIKI.exe	28
PID 1040 wrote to memory of 2176	1040	691cb4fba9fdb249dd3194d5d417f9e0_NEIKI.exe	28
PID 1040 wrote to memory of 2176	1040	691cb4fba9fdb249dd3194d5d417f9e0_NEIKI.exe	28
PID 1040 wrote to memory of 2176	1040	691cb4fba9fdb249dd3194d5d417f9e0_NEIKI.exe	28
PID 1040 wrote to memory of 2472	1040	691cb4fba9fdb249dd3194d5d417f9e0_NEIKI.exe	29
PID 1040 wrote to memory of 2472	1040	691cb4fba9fdb249dd3194d5d417f9e0_NEIKI.exe	29
PID 1040 wrote to memory of 2472	1040	691cb4fba9fdb249dd3194d5d417f9e0_NEIKI.exe	29
PID 1040 wrote to memory of 2472	1040	691cb4fba9fdb249dd3194d5d417f9e0_NEIKI.exe	29

C:\Users\Admin\AppData\Local\Temp\691cb4fba9fdb249dd3194d5d417f9e0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\691cb4fba9fdb249dd3194d5d417f9e0_NEIKI.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2176
- C:\AdobeSO\devoptiloc.exe
  C:\AdobeSO\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeSO\devoptiloc.exe

Filesize
4.0MB

MD5
b7d345770447a355a712b7875e7f29d1

SHA1
7bd44d38a2da8aae44ae168a724a4e1e283aa5b6

SHA256
2cd965700afc2f1db1c4d9bc5b2ab0b5d3058792250bd09fdd9eb2ae9222279e

SHA512
d55cacd5455ebaf015049e19e1fbf51035f1c5db427c9f33080ae9a3009d0e44f05aa8f5ff60b72d8c75c4e8c6b3d720553f6d08296abb6738c1244ec5f7ec58

Download Submit
C:\KaVBFL\dobxloc.exe

Filesize
4.0MB

MD5
7da3741c6aaa6c3fff9be85e4e670bc9

SHA1
50d71e70667bb55551feb7acb7a315b1603d7fcc

SHA256
1371e53cea72d85ce1251093d217cb6b2efa244562e89addeb10f8aedcfbfd51

SHA512
f9aee92b9e3d26f582388badbddd75cd1a88a954d16c006945264b1260498f346c93ca6a52ff3959d9c7581e4ccc81df74f64db1e9053301e282060de3d7a417

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
e04bd1410b7f8de122c7f13c41d95826

SHA1
8764e7b1e62c88ef2229746a84af7f48ed3c7319

SHA256
2491f921400bf0b80ccbff5df66b109bafb78445b4fb328d6efa458d6f9d2be8

SHA512
8a6e18e63605ba1ec6907aa79f0bb6f3f426b57a1a73340983ae15958bde4012166b8bb7505c9844eb1e4b236fa7af11b670cc68543f40f83a8645b636888219

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
d7ca29a0ca7eff27a4663650827e570d

SHA1
6d59a1cc6791414976f647630c99b29dbc3d1176

SHA256
3befd290c39e3e5500114fb4865b05e864d5c2afe58e8202b85f7681a87d1595

SHA512
8454bb59ad85032216b2843772a04bd828cc5b12e69029d19c62d9282307ab7a748dcbe95f6d81cfecead53de17b1fc94c88233d4dc4f231d37882aed45c4645

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
4.0MB

MD5
2e6fbfc907da03cb0c2eed8e4dff079e

SHA1
1ff898986c6ae69ada4ed45a467fbfc63d8d0fc0

SHA256
a879fbd30cac19a7237777f9bd823b311a0ef9cf56c6015f4e86fcc05a2bfa2b

SHA512
86aff1949b5a9f25b9edb9907471c5244c86735055607f750bbef5da7b273c2993ecb0e4c0620d361c6b6aa4ec0bee15cb730ee413d9ce95ee3db4b5afd9e803

Download Submit