223bcf37d426b94a7684f59a508ac57247042745fd1ce8a2c83f31d9d6803a4f

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

691cb4fba9fdb249dd3194d5d417f9e0_NEIKI.exe
Size

4.0MB
MD5

691cb4fba9fdb249dd3194d5d417f9e0
SHA1

4fec2a41a765bdc7a1df9610b121a32012b5bd62
SHA256

223bcf37d426b94a7684f59a508ac57247042745fd1ce8a2c83f31d9d6803a4f
SHA512

4bdd133a0ad360af4bcd910c0cdccced8207da9c5e09f9d029f12cf2488f78d5bc989e606304d8dec5a3d55bc0230fa9588df109a86312460bacd441d712c513
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpLbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe	691cb4fba9fdb249dd3194d5d417f9e0_NEIKI.exe

Executes dropped EXE 2 IoCs

pid	Process
2436	locdevbod.exe
4908	devoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocZG\\devoptiloc.exe"	691cb4fba9fdb249dd3194d5d417f9e0_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZA8\\bodasys.exe"	691cb4fba9fdb249dd3194d5d417f9e0_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3088	691cb4fba9fdb249dd3194d5d417f9e0_NEIKI.exe
3088	691cb4fba9fdb249dd3194d5d417f9e0_NEIKI.exe
3088	691cb4fba9fdb249dd3194d5d417f9e0_NEIKI.exe
3088	691cb4fba9fdb249dd3194d5d417f9e0_NEIKI.exe
2436	locdevbod.exe
2436	locdevbod.exe
4908	devoptiloc.exe
4908	devoptiloc.exe
2436	locdevbod.exe
2436	locdevbod.exe
4908	devoptiloc.exe
4908	devoptiloc.exe
2436	locdevbod.exe
2436	locdevbod.exe
4908	devoptiloc.exe
4908	devoptiloc.exe
2436	locdevbod.exe
2436	locdevbod.exe
4908	devoptiloc.exe
4908	devoptiloc.exe
2436	locdevbod.exe
2436	locdevbod.exe
4908	devoptiloc.exe
4908	devoptiloc.exe
2436	locdevbod.exe
2436	locdevbod.exe
4908	devoptiloc.exe
4908	devoptiloc.exe
2436	locdevbod.exe
2436	locdevbod.exe
4908	devoptiloc.exe
4908	devoptiloc.exe
2436	locdevbod.exe
2436	locdevbod.exe
4908	devoptiloc.exe
4908	devoptiloc.exe
2436	locdevbod.exe
2436	locdevbod.exe
4908	devoptiloc.exe
4908	devoptiloc.exe
2436	locdevbod.exe
2436	locdevbod.exe
4908	devoptiloc.exe
4908	devoptiloc.exe
2436	locdevbod.exe
2436	locdevbod.exe
4908	devoptiloc.exe
4908	devoptiloc.exe
2436	locdevbod.exe
2436	locdevbod.exe
4908	devoptiloc.exe
4908	devoptiloc.exe
2436	locdevbod.exe
2436	locdevbod.exe
4908	devoptiloc.exe
4908	devoptiloc.exe
2436	locdevbod.exe
2436	locdevbod.exe
4908	devoptiloc.exe
4908	devoptiloc.exe
2436	locdevbod.exe
2436	locdevbod.exe
4908	devoptiloc.exe
4908	devoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3088 wrote to memory of 2436	3088	691cb4fba9fdb249dd3194d5d417f9e0_NEIKI.exe	88
PID 3088 wrote to memory of 2436	3088	691cb4fba9fdb249dd3194d5d417f9e0_NEIKI.exe	88
PID 3088 wrote to memory of 2436	3088	691cb4fba9fdb249dd3194d5d417f9e0_NEIKI.exe	88
PID 3088 wrote to memory of 4908	3088	691cb4fba9fdb249dd3194d5d417f9e0_NEIKI.exe	93
PID 3088 wrote to memory of 4908	3088	691cb4fba9fdb249dd3194d5d417f9e0_NEIKI.exe	93
PID 3088 wrote to memory of 4908	3088	691cb4fba9fdb249dd3194d5d417f9e0_NEIKI.exe	93

C:\Users\Admin\AppData\Local\Temp\691cb4fba9fdb249dd3194d5d417f9e0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\691cb4fba9fdb249dd3194d5d417f9e0_NEIKI.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2436
- C:\IntelprocZG\devoptiloc.exe
  C:\IntelprocZG\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocZG\devoptiloc.exe

Filesize
4.0MB

MD5
07c9393dd03584a2e45f6a801c94164c

SHA1
87c1f50b658cb7595fe66504cc0fcad983c056e6

SHA256
d77f49e807bad9fd5f59fce2d5cdd4c3bbf1383d6559ef3905b0981e116ca100

SHA512
6e90d3c63e244f9de2bf7ed546d76e7e110f3514c07aa70b11a0747912f009eb725659bea7e0c522ef530b855d3065bd34ba62f672acc3430a26ee635d208e1d

Download Submit
C:\LabZA8\bodasys.exe

Filesize
2.3MB

MD5
1623bc27e1b180b38b75ebf2b4479108

SHA1
29032c7fce3d1a2508926a6d6c544af0d0778670

SHA256
d839437365f0bb5cd24408e604541cf0fa237acb139c20b9b15b4ee55c4659ec

SHA512
d6798fc918e23cfc5cc2dd798718e5627ddc472c9747eb5aec7a6e141aa022969e533940b706a2f4cba032a179ab3038b0c763e595c3f14091f229c88bbfe623

Download Submit
C:\LabZA8\bodasys.exe

Filesize
23KB

MD5
3802e70e50917db6adbff13a6824dce7

SHA1
1ec74804dcbb5eac9158cc01b922116000bd27f6

SHA256
b81d5b38681149b114bf47a1e7fa43ddd85131b90d90958a3b1ff715a6be3573

SHA512
2ae50667aa5c3bf216c71d67c60ef19a77841a00f44d71976aa8f97b9a6fd7f512a1183679559970fb5175722a27db103b3b44cbae08e134908cdae961b88b2b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
209B

MD5
0ffb5bae26cda954e7d278090c294a68

SHA1
e8754cd64f0c30f606b6d322edac3784a3996159

SHA256
caeae60a9e4462f54af1df1e038e54bf5ea593753b382b90884499a20df95c3a

SHA512
0b281447d7d9f9361e81c2e96f8d0e8db2a61f19bcdec8898b0b6db09b14f1c5c589b1285073396bb4cfe021c1e111021a38ad0b55af02314bf896b64aae2e40

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
177B

MD5
b577634add249c328ad3fa8f81cd135e

SHA1
27d666cdd70c663add9eb196aace000117c5ff08

SHA256
a0dad4f932437aa03f14d2403a47c69b73b6c7a6f168e53c7731f3cb2e740f84

SHA512
90162d1104f73bcc6f21f0eabc122c242435cb99c255e84d5fc382ed3950aaecdfac39be56542869ddc2e32f3f0175a879eaaf2ae47dd4090afde95e2b92236d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

Filesize
4.0MB

MD5
4e1213ff4064dd4cebc04516819e1276

SHA1
62aa175ccdfb8ac138acafbc0396f1d2c3901816

SHA256
c136d4cc142a2411cf399973f0567710ca23249443e6583b1166ec5417e8aac0

SHA512
3540890878605e3afdfc010bcb54ada758a35ca7294e55a3abffa8626b4c324a3b3a679990f548eca540619b8ee21ab149aa8c73eb1ba1e7e6625f9068fcf5d0

Download Submit