e32dd1474a1f3f47c6d8ee19fba793c4cd900bc68350710d34ba6a3cac171788

Analysis

max time kernel
150s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37a140fe29eaec7bd519e87033aaa5c0_NEIKI.exe
Size

3.6MB
MD5

37a140fe29eaec7bd519e87033aaa5c0
SHA1

172be7464f4c1b5591f73a459cd643dccd4b7e00
SHA256

e32dd1474a1f3f47c6d8ee19fba793c4cd900bc68350710d34ba6a3cac171788
SHA512

af43c929359bbe3bd697a56122ce3d01b741b409a6250b1928b5e8633a5d8d845476711853897d5f0a4161f00cc155edc704ff7a6a4cdd3889680fe201cfd31b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpVbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	37a140fe29eaec7bd519e87033aaa5c0_NEIKI.exe

Executes dropped EXE 2 IoCs

pid	Process
2752	sysdevbod.exe
3764	devoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocW0\\devoptiloc.exe"	37a140fe29eaec7bd519e87033aaa5c0_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB78\\bodxloc.exe"	37a140fe29eaec7bd519e87033aaa5c0_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3164	37a140fe29eaec7bd519e87033aaa5c0_NEIKI.exe
3164	37a140fe29eaec7bd519e87033aaa5c0_NEIKI.exe
3164	37a140fe29eaec7bd519e87033aaa5c0_NEIKI.exe
3164	37a140fe29eaec7bd519e87033aaa5c0_NEIKI.exe
2752	sysdevbod.exe
2752	sysdevbod.exe
3764	devoptiloc.exe
3764	devoptiloc.exe
2752	sysdevbod.exe
2752	sysdevbod.exe
3764	devoptiloc.exe
3764	devoptiloc.exe
2752	sysdevbod.exe
2752	sysdevbod.exe
3764	devoptiloc.exe
3764	devoptiloc.exe
2752	sysdevbod.exe
2752	sysdevbod.exe
3764	devoptiloc.exe
3764	devoptiloc.exe
2752	sysdevbod.exe
2752	sysdevbod.exe
3764	devoptiloc.exe
3764	devoptiloc.exe
2752	sysdevbod.exe
2752	sysdevbod.exe
3764	devoptiloc.exe
3764	devoptiloc.exe
2752	sysdevbod.exe
2752	sysdevbod.exe
3764	devoptiloc.exe
3764	devoptiloc.exe
2752	sysdevbod.exe
2752	sysdevbod.exe
3764	devoptiloc.exe
3764	devoptiloc.exe
2752	sysdevbod.exe
2752	sysdevbod.exe
3764	devoptiloc.exe
3764	devoptiloc.exe
2752	sysdevbod.exe
2752	sysdevbod.exe
3764	devoptiloc.exe
3764	devoptiloc.exe
2752	sysdevbod.exe
2752	sysdevbod.exe
3764	devoptiloc.exe
3764	devoptiloc.exe
2752	sysdevbod.exe
2752	sysdevbod.exe
3764	devoptiloc.exe
3764	devoptiloc.exe
2752	sysdevbod.exe
2752	sysdevbod.exe
3764	devoptiloc.exe
3764	devoptiloc.exe
2752	sysdevbod.exe
2752	sysdevbod.exe
3764	devoptiloc.exe
3764	devoptiloc.exe
2752	sysdevbod.exe
2752	sysdevbod.exe
3764	devoptiloc.exe
3764	devoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 2752	3164	37a140fe29eaec7bd519e87033aaa5c0_NEIKI.exe	88
PID 3164 wrote to memory of 2752	3164	37a140fe29eaec7bd519e87033aaa5c0_NEIKI.exe	88
PID 3164 wrote to memory of 2752	3164	37a140fe29eaec7bd519e87033aaa5c0_NEIKI.exe	88
PID 3164 wrote to memory of 3764	3164	37a140fe29eaec7bd519e87033aaa5c0_NEIKI.exe	89
PID 3164 wrote to memory of 3764	3164	37a140fe29eaec7bd519e87033aaa5c0_NEIKI.exe	89
PID 3164 wrote to memory of 3764	3164	37a140fe29eaec7bd519e87033aaa5c0_NEIKI.exe	89

C:\Users\Admin\AppData\Local\Temp\37a140fe29eaec7bd519e87033aaa5c0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\37a140fe29eaec7bd519e87033aaa5c0_NEIKI.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2752
- C:\IntelprocW0\devoptiloc.exe
  C:\IntelprocW0\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocW0\devoptiloc.exe

Filesize
3.6MB

MD5
2e577d65d0e9843cc1c0e0fff5ba04b6

SHA1
1fc073ee87aced0d271d76c645b2f0e7faa47a9c

SHA256
dcafd41cb887435db7f251ac94d6bc84430b479efd9c1af8962188add404dabb

SHA512
34291b4039c4c80f0d80ac18ebf251e877e61a7b077f302851f293f205622c72bb5d4cf24a385bf6f8c6dfc9a64d58ad0d294ffe9a3c9c56ab67ca5d1afba959

Download Submit
C:\KaVB78\bodxloc.exe

Filesize
206KB

MD5
eeac235b928d0fba3fa52837f42132cd

SHA1
2dd961d50771d81b29f4177fa1cab6d442bbc46a

SHA256
7b01accfd28116618def125470fd0bfcdd1b151e98888b3027fde945566d5b5c

SHA512
683cbb61657f3f79a5edd3385a8cfc5bbe364d54760e65eb3d52a0657d1d8b56eaffdebcc9f6037ab49a48355fe8c63b036a3e2289950615e7917972e56eb45d

Download Submit
C:\KaVB78\bodxloc.exe

Filesize
3.6MB

MD5
ae16db6e0a46ceca3f91203a751f04ae

SHA1
d4c9986b067965eb23f025e0288cea6cd9ce95b9

SHA256
01d1f4f80b45127fb8cfe0709faebcecb986075e59ceb506a77060638ecca215

SHA512
1256c778c1308f1269c7a2b270be613ed698771a65ca738c973ec6295cbea234c29282c05363d77453bfb52550008f85fb1332bf84c5a8b9a4541c0d83c67d65

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
209B

MD5
528a5a975f4268cf588afac150c41ebe

SHA1
368bf692c2ffc0968103546aecc3e2d0fd531b5f

SHA256
1eef70ce0ee14c6de0b62fb9f3e204a6e437439ffecdb5d50fa7089581649da9

SHA512
975ca16bfa7fd96dfb2ace3b2205e3d32a4a4780ff1b9df3ab29a6ad94e3060f32ec6cc345df35e8f5a32a4b3d872b095700c437825e2743e10f64de5e8904c9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
177B

MD5
ed29f9c5da24d8097637e064af51d7be

SHA1
f5979869dbdf4b346817355d689029bb60c7400f

SHA256
0d6da0f5b373add9d8af641310a410d40e0ee23572f62269461a56656572549f

SHA512
685a121f1a3c358efe14416875f3eac07e720993a3ef2c7adc249cbb6ed9c1771a85686bd1cdcbec770b0e8e2fd06492b1576843270b15df24c0e3fb23492941

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
3.6MB

MD5
0a8ca0de9c5ff17122c3e2ad19284ae5

SHA1
ce627b69983d87a1eb476734476b00ca2093f89e

SHA256
b8c1834352350f4b3393321e74c8ab87d55761f5908ba85cd6d3309c0b221779

SHA512
ef1a72e006cec383910f006cb88831c0da916e4828a899b2a2c62b1a50012033e29141baa0b53f3f9813c9ec9f370e271e53542d045c65b7d2d344181eb22fc8

Download Submit