feb69ea1396f9fd1cf66a2f6ba2e0ee6c9ed6e96b140676157c767000e577ee4

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2712e52f3b219a414929957a9bada2c0_NEIKI.exe
Size

2.6MB
MD5

2712e52f3b219a414929957a9bada2c0
SHA1

0ae9db08eb59a601f4022cdad77c8c5acacc97d9
SHA256

feb69ea1396f9fd1cf66a2f6ba2e0ee6c9ed6e96b140676157c767000e577ee4
SHA512

a13c1c734ea9cf430af26c1d45ed894864c40306200c96efe531eab412243cd92b8ac0ed677ce1d5ea51cd7c7e941589dbf6322e7d65606652caa3b8d5741a62
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB51B/bS:sxX7QnxrloE5dpUpA7b

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	2712e52f3b219a414929957a9bada2c0_NEIKI.exe

Executes dropped EXE 2 IoCs

pid	Process
2348	locadob.exe
688	adobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZW0\\optixsys.exe"	2712e52f3b219a414929957a9bada2c0_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocAZ\\adobloc.exe"	2712e52f3b219a414929957a9bada2c0_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3544	2712e52f3b219a414929957a9bada2c0_NEIKI.exe
3544	2712e52f3b219a414929957a9bada2c0_NEIKI.exe
3544	2712e52f3b219a414929957a9bada2c0_NEIKI.exe
3544	2712e52f3b219a414929957a9bada2c0_NEIKI.exe
2348	locadob.exe
2348	locadob.exe
688	adobloc.exe
688	adobloc.exe
2348	locadob.exe
2348	locadob.exe
688	adobloc.exe
688	adobloc.exe
2348	locadob.exe
2348	locadob.exe
688	adobloc.exe
688	adobloc.exe
2348	locadob.exe
2348	locadob.exe
688	adobloc.exe
688	adobloc.exe
2348	locadob.exe
2348	locadob.exe
688	adobloc.exe
688	adobloc.exe
2348	locadob.exe
2348	locadob.exe
688	adobloc.exe
688	adobloc.exe
2348	locadob.exe
2348	locadob.exe
688	adobloc.exe
688	adobloc.exe
2348	locadob.exe
2348	locadob.exe
688	adobloc.exe
688	adobloc.exe
2348	locadob.exe
2348	locadob.exe
688	adobloc.exe
688	adobloc.exe
2348	locadob.exe
2348	locadob.exe
688	adobloc.exe
688	adobloc.exe
2348	locadob.exe
2348	locadob.exe
688	adobloc.exe
688	adobloc.exe
2348	locadob.exe
2348	locadob.exe
688	adobloc.exe
688	adobloc.exe
2348	locadob.exe
2348	locadob.exe
688	adobloc.exe
688	adobloc.exe
2348	locadob.exe
2348	locadob.exe
688	adobloc.exe
688	adobloc.exe
2348	locadob.exe
2348	locadob.exe
688	adobloc.exe
688	adobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 2348	3544	2712e52f3b219a414929957a9bada2c0_NEIKI.exe	90
PID 3544 wrote to memory of 2348	3544	2712e52f3b219a414929957a9bada2c0_NEIKI.exe	90
PID 3544 wrote to memory of 2348	3544	2712e52f3b219a414929957a9bada2c0_NEIKI.exe	90
PID 3544 wrote to memory of 688	3544	2712e52f3b219a414929957a9bada2c0_NEIKI.exe	91
PID 3544 wrote to memory of 688	3544	2712e52f3b219a414929957a9bada2c0_NEIKI.exe	91
PID 3544 wrote to memory of 688	3544	2712e52f3b219a414929957a9bada2c0_NEIKI.exe	91

C:\Users\Admin\AppData\Local\Temp\2712e52f3b219a414929957a9bada2c0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\2712e52f3b219a414929957a9bada2c0_NEIKI.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2348
- C:\IntelprocAZ\adobloc.exe
  C:\IntelprocAZ\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocAZ\adobloc.exe

Filesize
18KB

MD5
f3611b180f53e7b766446f16c0eb47e8

SHA1
b0a5575b4fca6d2ca1ebf68f998124b33189a5e8

SHA256
da3c4283fe87c6da829e4d3b09eadb3c7290c393ca69be154a4623b54548802f

SHA512
80c0937e80f63fa08bcb017f6504125ff30072a3ed9a2185ea5271bf5c0c20edbe958b500cc16a99d3c0072a1a1468864aa5250c977a0ad30c63af750b7b5ca1

Download Submit
C:\IntelprocAZ\adobloc.exe

Filesize
2.6MB

MD5
3fd82f12613ff5390b84c398b1e8fab8

SHA1
47faa07ec447fb3828bee7e14bdd92938f931b2e

SHA256
dd1bf4569f0d04192343dde492c704bc49dc79486ec676adc070b4c5b633266d

SHA512
e329e5634d8798c06240ea10c50dbef048d9794b2229047a71084ed778305d9098222dfc161cb3461188afb871190aba82fff2d0483059e7180e2f09eee5bf22

Download Submit
C:\LabZW0\optixsys.exe

Filesize
430KB

MD5
5a27945c917543e0f7db5cf510aec55e

SHA1
1d962a981eb2975ae5abd88c847a9834ca0d8b9e

SHA256
be49e0d9f34735e54641e9a1832717f779b983883d978d11b11e8bed62561e5a

SHA512
8807d2c9784ab937f32d9b1a39445fd0ef9e762cdca5a3055e108f5fc85ba31181ee875373d3d04f9655550ebce024f23264bd6c309142e2f6e5126c5a33ed57

Download Submit
C:\LabZW0\optixsys.exe

Filesize
2.6MB

MD5
1f43f96f3cb5c1c2ded7230da7b108e8

SHA1
b30b172716ed5da552f1408e07d5e8a8fa47498b

SHA256
8f03488916bdb23d6d4bc0dccba340308b5ddc906b28f1d707b80088060ea938

SHA512
4ee96bba873c055ae2b6dd9b795ed033b47ff1dde3e5cc585e4fcb0d391e623290650dbd1ad9a09a707057211b547cdcccce4da3e6b1b60158aea1bcb76a52df

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
da4bc2d0c3975c4b2dc0d668fb9ceffd

SHA1
27256cc1f86dee392c7e7797520feec034ef0a13

SHA256
5bc8e2ecfdfc32429ed60ffda9e81d7a1da820542ae64cae1d3d88184ddd9eac

SHA512
2d8fe492d7ec3f185d250a29c662a56ea608ed45b2f0bd5253769cc8d44b694b1188ed89fd578041e66cdd788238dd1d98fa6eeef857056fdd5d643966b5644f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
43cd9917b22ed525aeb794c93320b88a

SHA1
63f236e0151612f4cf5b965be965a63a38e3fc97

SHA256
bb3f9aefb3e27a8c931747629f6eb302a208c1a0c1a3c2490259fc94fe825801

SHA512
65ea3e79192c5e7df41743674809e6786d8c24238340a730271807439f1889eebe25e24dddfc4a5ab6f86fb0c54872d387a573455d89a56a38f3a8fda805098e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
2.6MB

MD5
f35fd5ed692e20a63f70bf2cc2039773

SHA1
23a752590c854f10d782d2fcd013f9d538b92afd

SHA256
859349992b0ab5ace0a868723b5c2f7ef96232c3e63221908a6233071b928a56

SHA512
8c12bfa3f096587f374a9b3946fe562a286a957f43a2c8743d3f53e7b31379807b7f458e3bd19c88bc7434b8e6017d25b89ed4414b0790f13d53e64e1e593cd3

Download Submit