feb69ea1396f9fd1cf66a2f6ba2e0ee6c9ed6e96b140676157c767000e577ee4

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
07/05/2024, 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2712e52f3b219a414929957a9bada2c0_NEIKI.exe
Size

2.6MB
MD5

2712e52f3b219a414929957a9bada2c0
SHA1

0ae9db08eb59a601f4022cdad77c8c5acacc97d9
SHA256

feb69ea1396f9fd1cf66a2f6ba2e0ee6c9ed6e96b140676157c767000e577ee4
SHA512

a13c1c734ea9cf430af26c1d45ed894864c40306200c96efe531eab412243cd92b8ac0ed677ce1d5ea51cd7c7e941589dbf6322e7d65606652caa3b8d5741a62
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB51B/bS:sxX7QnxrloE5dpUpA7b

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	2712e52f3b219a414929957a9bada2c0_NEIKI.exe

Executes dropped EXE 2 IoCs

pid	Process
2928	locxbod.exe
2924	devoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2076	2712e52f3b219a414929957a9bada2c0_NEIKI.exe
2076	2712e52f3b219a414929957a9bada2c0_NEIKI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidBE\\boddevloc.exe"	2712e52f3b219a414929957a9bada2c0_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesUU\\devoptiec.exe"	2712e52f3b219a414929957a9bada2c0_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2076	2712e52f3b219a414929957a9bada2c0_NEIKI.exe
2076	2712e52f3b219a414929957a9bada2c0_NEIKI.exe
2928	locxbod.exe
2924	devoptiec.exe
2928	locxbod.exe
2924	devoptiec.exe
2928	locxbod.exe
2924	devoptiec.exe
2928	locxbod.exe
2924	devoptiec.exe
2928	locxbod.exe
2924	devoptiec.exe
2928	locxbod.exe
2924	devoptiec.exe
2928	locxbod.exe
2924	devoptiec.exe
2928	locxbod.exe
2924	devoptiec.exe
2928	locxbod.exe
2924	devoptiec.exe
2928	locxbod.exe
2924	devoptiec.exe
2928	locxbod.exe
2924	devoptiec.exe
2928	locxbod.exe
2924	devoptiec.exe
2928	locxbod.exe
2924	devoptiec.exe
2928	locxbod.exe
2924	devoptiec.exe
2928	locxbod.exe
2924	devoptiec.exe
2928	locxbod.exe
2924	devoptiec.exe
2928	locxbod.exe
2924	devoptiec.exe
2928	locxbod.exe
2924	devoptiec.exe
2928	locxbod.exe
2924	devoptiec.exe
2928	locxbod.exe
2924	devoptiec.exe
2928	locxbod.exe
2924	devoptiec.exe
2928	locxbod.exe
2924	devoptiec.exe
2928	locxbod.exe
2924	devoptiec.exe
2928	locxbod.exe
2924	devoptiec.exe
2928	locxbod.exe
2924	devoptiec.exe
2928	locxbod.exe
2924	devoptiec.exe
2928	locxbod.exe
2924	devoptiec.exe
2928	locxbod.exe
2924	devoptiec.exe
2928	locxbod.exe
2924	devoptiec.exe
2928	locxbod.exe
2924	devoptiec.exe
2928	locxbod.exe
2924	devoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2928	2076	2712e52f3b219a414929957a9bada2c0_NEIKI.exe	28
PID 2076 wrote to memory of 2928	2076	2712e52f3b219a414929957a9bada2c0_NEIKI.exe	28
PID 2076 wrote to memory of 2928	2076	2712e52f3b219a414929957a9bada2c0_NEIKI.exe	28
PID 2076 wrote to memory of 2928	2076	2712e52f3b219a414929957a9bada2c0_NEIKI.exe	28
PID 2076 wrote to memory of 2924	2076	2712e52f3b219a414929957a9bada2c0_NEIKI.exe	29
PID 2076 wrote to memory of 2924	2076	2712e52f3b219a414929957a9bada2c0_NEIKI.exe	29
PID 2076 wrote to memory of 2924	2076	2712e52f3b219a414929957a9bada2c0_NEIKI.exe	29
PID 2076 wrote to memory of 2924	2076	2712e52f3b219a414929957a9bada2c0_NEIKI.exe	29

C:\Users\Admin\AppData\Local\Temp\2712e52f3b219a414929957a9bada2c0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\2712e52f3b219a414929957a9bada2c0_NEIKI.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2928
- C:\FilesUU\devoptiec.exe
  C:\FilesUU\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesUU\devoptiec.exe

Filesize
2.6MB

MD5
3d32437f505504b330836646b54dd84a

SHA1
ec6f68767a45c19ababc5c75e9b1927dc1eae591

SHA256
3b295ee9e7be0ddc0c4a21baade4922aa43e1e06dd16614339bf310f5a858080

SHA512
53df4e4f3d7e0538a4b5c785ba10dfd9b73e87dca2140b4222bbb41dc9f25ffe7333fa7dbdf4dba74898df458f4f8ffa7b84c2de2d2b53ae7763f475e825ae1b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
d1bf1475cfb79545a2067c3d985dc616

SHA1
46bcf90e6ec8f0f16aaa8be761d80c0eceeb2a36

SHA256
86358b5d27141aaf5ac801d79611fff4406db36ea61fbb3a36acb32bb74c0a47

SHA512
74f94ea80f20ccf9351e54f4dab38fc39517eb836f94d91febc96c1424a65a22383da770cf898ec0060439e3f3ed2b1077e4adf99952e67061c6cb2d9721efbc

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
6b1e7a6aac78dc7f8575c1b13659ade9

SHA1
4a550e3ad9ca4ec1d23b063e3754e7f329a03fe9

SHA256
4abd7765134a41d72ad7f7c63ae45bd5443877d83f37c12003c856627eec341e

SHA512
a6ef67293808f6e8ef72fdfd5af3d7bf7f1e2f93d0134b0c268f7b82664a588b0128e3b6527ef0f94582dbff6aac3889bb605eff7981952fbd1c3d84db4ef2a6

Download Submit
C:\VidBE\boddevloc.exe

Filesize
2.6MB

MD5
b605df6cafb3b8ebb9105ee217fe4288

SHA1
00e5a1ea0c2d6e2b7b648c5483def725eda1cbdc

SHA256
2a20edfc0242b0bd1bcbb2ac1f0af54d6b9f3a1eceabf274abca9664962413a7

SHA512
bc3d09ca47cf21dc18e785d3549f2d72ced1650bcb727e693b4159e93b1d98043a832f9cde47948616e766d971fcbb3a40629a16731f5ec650f34f08ae18e4a1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
2.6MB

MD5
d29f247b8a4f62ca555a4434098d2db5

SHA1
d03e9eafcccb619cd067f0b121e6678b283d717b

SHA256
31a37572c3e7c0ba69f096097403c5e80808c66f47890905f1ff582b8d433a67

SHA512
5bcc47d5c7fb79077aca5508b87b4ee4c6eb5d715dca9cdb3f83801e08932da4e7dd90e1fa032359734e0135f1c89f20a16bc4093ec03b33eebbbf95e6830244

Download Submit