223b8eaefe34b3d3166afaa541c0999df4d3bc0c523336feaee30b8d43782608

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
07/05/2024, 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3698f7e1a535ce4085da45a06c2b2210_NEIKI.exe
Size

3.6MB
MD5

3698f7e1a535ce4085da45a06c2b2210
SHA1

ebeccaf5551919734333851fee9488f6546eba2e
SHA256

223b8eaefe34b3d3166afaa541c0999df4d3bc0c523336feaee30b8d43782608
SHA512

f4e017e1be1c0b9604121feecfdc8a475cd0bc95c63b0a68faace85829e00a09424c097acd5fdfb87c272b6789e87f837ed3f45eef2b47d9dc00f1299ba8ccb4
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBoB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUprbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	3698f7e1a535ce4085da45a06c2b2210_NEIKI.exe

Executes dropped EXE 2 IoCs

pid	Process
1956	ecdevopti.exe
2344	xdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2076	3698f7e1a535ce4085da45a06c2b2210_NEIKI.exe
2076	3698f7e1a535ce4085da45a06c2b2210_NEIKI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvPM\\xdobsys.exe"	3698f7e1a535ce4085da45a06c2b2210_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxNT\\dobdevsys.exe"	3698f7e1a535ce4085da45a06c2b2210_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2076	3698f7e1a535ce4085da45a06c2b2210_NEIKI.exe
2076	3698f7e1a535ce4085da45a06c2b2210_NEIKI.exe
1956	ecdevopti.exe
2344	xdobsys.exe
1956	ecdevopti.exe
2344	xdobsys.exe
1956	ecdevopti.exe
2344	xdobsys.exe
1956	ecdevopti.exe
2344	xdobsys.exe
1956	ecdevopti.exe
2344	xdobsys.exe
1956	ecdevopti.exe
2344	xdobsys.exe
1956	ecdevopti.exe
2344	xdobsys.exe
1956	ecdevopti.exe
2344	xdobsys.exe
1956	ecdevopti.exe
2344	xdobsys.exe
1956	ecdevopti.exe
2344	xdobsys.exe
1956	ecdevopti.exe
2344	xdobsys.exe
1956	ecdevopti.exe
2344	xdobsys.exe
1956	ecdevopti.exe
2344	xdobsys.exe
1956	ecdevopti.exe
2344	xdobsys.exe
1956	ecdevopti.exe
2344	xdobsys.exe
1956	ecdevopti.exe
2344	xdobsys.exe
1956	ecdevopti.exe
2344	xdobsys.exe
1956	ecdevopti.exe
2344	xdobsys.exe
1956	ecdevopti.exe
2344	xdobsys.exe
1956	ecdevopti.exe
2344	xdobsys.exe
1956	ecdevopti.exe
2344	xdobsys.exe
1956	ecdevopti.exe
2344	xdobsys.exe
1956	ecdevopti.exe
2344	xdobsys.exe
1956	ecdevopti.exe
2344	xdobsys.exe
1956	ecdevopti.exe
2344	xdobsys.exe
1956	ecdevopti.exe
2344	xdobsys.exe
1956	ecdevopti.exe
2344	xdobsys.exe
1956	ecdevopti.exe
2344	xdobsys.exe
1956	ecdevopti.exe
2344	xdobsys.exe
1956	ecdevopti.exe
2344	xdobsys.exe
1956	ecdevopti.exe
2344	xdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 1956	2076	3698f7e1a535ce4085da45a06c2b2210_NEIKI.exe	28
PID 2076 wrote to memory of 1956	2076	3698f7e1a535ce4085da45a06c2b2210_NEIKI.exe	28
PID 2076 wrote to memory of 1956	2076	3698f7e1a535ce4085da45a06c2b2210_NEIKI.exe	28
PID 2076 wrote to memory of 1956	2076	3698f7e1a535ce4085da45a06c2b2210_NEIKI.exe	28
PID 2076 wrote to memory of 2344	2076	3698f7e1a535ce4085da45a06c2b2210_NEIKI.exe	29
PID 2076 wrote to memory of 2344	2076	3698f7e1a535ce4085da45a06c2b2210_NEIKI.exe	29
PID 2076 wrote to memory of 2344	2076	3698f7e1a535ce4085da45a06c2b2210_NEIKI.exe	29
PID 2076 wrote to memory of 2344	2076	3698f7e1a535ce4085da45a06c2b2210_NEIKI.exe	29

C:\Users\Admin\AppData\Local\Temp\3698f7e1a535ce4085da45a06c2b2210_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\3698f7e1a535ce4085da45a06c2b2210_NEIKI.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1956
- C:\SysDrvPM\xdobsys.exe
  C:\SysDrvPM\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxNT\dobdevsys.exe

Filesize
3.6MB

MD5
8c7eec867417abe62e4f2d3965d5b1a1

SHA1
6110a72a362c164db065fa0f3fc1fba1ad3d6dc6

SHA256
e70b758a344018b7f183fad6331d20c6d94f3d310969070911e1e9c53468d8d8

SHA512
45c3adbdb1d06a5fca1695c4096c19c6a178d90f7eaaf202a487a5f3021ecfb836fcd8c91352a943e1fa93dd78d843ad7984755ba94764e473a411c085c43587

Download Submit
C:\GalaxNT\dobdevsys.exe

Filesize
3.6MB

MD5
0294d057342563e0bd47823582f702aa

SHA1
9455def93537cc72002c6f8dbf86cd3a0d348b96

SHA256
d4095b049efd34ad9912b87c570ea5130571b8e70ede37205c72aeeb042b3aa9

SHA512
adbeb6015d688fdc72db9ee8e03a213e83e89576bfdaa27184f671ec26025f41b91ed5c82e4f6c5ccb5d21de8985cc7e6d187c3e24205910cfb1c2a19edc3ec0

Download Submit
C:\SysDrvPM\xdobsys.exe

Filesize
3.6MB

MD5
cb3ddc32ff6ab7ad83e33a49d22f504c

SHA1
7eaef69a5c9adecb39f6b898c9a1fe3eb7ea9ba8

SHA256
5578b68fba7dd4e5cf05ba3efa076b72e4bf4909701293daa1719985d3ce9c1f

SHA512
95e7b2db2f5320f5208c9a95f1b73c05df211728fa070c8fc0cf8769a80feda0263554ad8542dba20d98651ebfa907db85c3288e9a8f0ee1ce7f7079edf93fcc

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
96dfcdd0efa552768d66a812d3af1172

SHA1
63196996a561a20e3c096b9c644be1434f86a9e9

SHA256
3fc6e87430562c242c1f9403a4f86ed5761539ed09eaac1acccde6b9b44f9a16

SHA512
c936433b8e7b287c0f6c3ac7cb866b034a86552de570d6dfee566a7e1b095dfca86676a0751da08ec4e19b42be611f963e8bfa2186a17ad28f1c34992fde2c08

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
06b9f59d300955cc78753a596c4647e2

SHA1
641a0ad91f003eb4ea1a3fbd818bafa658757c17

SHA256
a0c6117574ceaf288dc39d24071cb9c5ab9382f1bc741cf82904605c48b718fb

SHA512
4563707b3af12b7f097e304eb17f97e1cca32141d2c7a392328d94fbe4cad27b2cf9a1f624f3263d47f77247705e0f139e427e3d613f8dc75acb136f72bea103

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
3.6MB

MD5
c8052ef85d9da86c883605f534215ac4

SHA1
14c229346ea3d119c268fb1bcb87223178021f8f

SHA256
777703f3d9b1d07b0c09c234f186ebac896bc3cc20880eac614fa201430969b9

SHA512
c7551176edb7a21b2d997849180bb916bfcfb5d8f7fa7d442f604c13792ee4389b90b208f64ba895c86a02ada8e217d6ede42cd58ee49a226a808276d933f6cd

Download Submit