65f1330af4739c156b196d674fcf3dd31cd570ea922914fbdc87ee1f6deb58ed

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/05/2024, 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe
Size

3.1MB
MD5

2e8357acbfdf0f648b43847ef84f9350
SHA1

12f636359dc489e37712f6001b0201a60bde8ea4
SHA256

65f1330af4739c156b196d674fcf3dd31cd570ea922914fbdc87ee1f6deb58ed
SHA512

0ab838d6f4e242a8cabefcda3d6958235b6f6fb4eec673b668ebc001310efc12f26b3d9fb9c9ebe0942fd098d454fd5781397442e28d4ecfdb7db4c7cf7af876
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpqbVz8eLFc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe

Executes dropped EXE 2 IoCs

pid	Process
2308	locabod.exe
2884	abodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2292	2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe
2292	2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxDB\\dobasys.exe"	2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotF6\\abodsys.exe"	2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2292	2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe
2292	2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe
2308	locabod.exe
2884	abodsys.exe
2308	locabod.exe
2884	abodsys.exe
2308	locabod.exe
2884	abodsys.exe
2308	locabod.exe
2884	abodsys.exe
2308	locabod.exe
2884	abodsys.exe
2308	locabod.exe
2884	abodsys.exe
2308	locabod.exe
2884	abodsys.exe
2308	locabod.exe
2884	abodsys.exe
2308	locabod.exe
2884	abodsys.exe
2308	locabod.exe
2884	abodsys.exe
2308	locabod.exe
2884	abodsys.exe
2308	locabod.exe
2884	abodsys.exe
2308	locabod.exe
2884	abodsys.exe
2308	locabod.exe
2884	abodsys.exe
2308	locabod.exe
2884	abodsys.exe
2308	locabod.exe
2884	abodsys.exe
2308	locabod.exe
2884	abodsys.exe
2308	locabod.exe
2884	abodsys.exe
2308	locabod.exe
2884	abodsys.exe
2308	locabod.exe
2884	abodsys.exe
2308	locabod.exe
2884	abodsys.exe
2308	locabod.exe
2884	abodsys.exe
2308	locabod.exe
2884	abodsys.exe
2308	locabod.exe
2884	abodsys.exe
2308	locabod.exe
2884	abodsys.exe
2308	locabod.exe
2884	abodsys.exe
2308	locabod.exe
2884	abodsys.exe
2308	locabod.exe
2884	abodsys.exe
2308	locabod.exe
2884	abodsys.exe
2308	locabod.exe
2884	abodsys.exe
2308	locabod.exe
2884	abodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2308	2292	2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe	28
PID 2292 wrote to memory of 2308	2292	2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe	28
PID 2292 wrote to memory of 2308	2292	2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe	28
PID 2292 wrote to memory of 2308	2292	2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe	28
PID 2292 wrote to memory of 2884	2292	2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe	29
PID 2292 wrote to memory of 2884	2292	2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe	29
PID 2292 wrote to memory of 2884	2292	2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe	29
PID 2292 wrote to memory of 2884	2292	2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe	29

C:\Users\Admin\AppData\Local\Temp\2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2308
- C:\UserDotF6\abodsys.exe
  C:\UserDotF6\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxDB\dobasys.exe

Filesize
3.1MB

MD5
bca4fe161875cfe90a355c80ec6aee44

SHA1
e7e6676b354262ae4373937f0ddd360ed5579bfe

SHA256
e22d75c96ee0e9d4bb13bca09bf14cd221ab48c64a2faa32e5c099797d222606

SHA512
4cfdc5e0b5d7a9f3ba45d0d563d81b7007ec45f9b2e9267442465e437c4ee4d7b81ce1810e7c9e5014a97de73ee4153f60fb5df5fdd8a0741f7883d0cd288b01

Download Submit
C:\UserDotF6\abodsys.exe

Filesize
3.1MB

MD5
52d1c4f9434976c859ce2864a27c565f

SHA1
8107a37c8192ec031944babfe0622842ee5ef604

SHA256
b42929c22c0fc3ece1f2561cdc405dd768d6c19cf5de6e0c4d4a34a1089f3438

SHA512
0635667d84e10866998dff217bec5f488f27aa320250d9c4de139b7f7e675d600db33758377bc3b52a2169728ef998a4f930a1281b8f916dc062eca799b9bbe8

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
cd44be05391783e768759d4041b08c28

SHA1
655e71a00217bbe0bebe00a6303547d7fafcbffc

SHA256
30f8e79a16a13dbde201e8e295bdfb39565fe2627e877f6743d9e34a430c812f

SHA512
3bdc2e8508d00529f2f5df651939ccf5603759027ee985082f6234bca6ba5be45ec44c1a5938eb95a7f3f493fb637c4e94b2a8ab5acf4008e895ec14f449307b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
919c9e6062e09afa6313a780b79587b8

SHA1
1f5a9a38a08969cbc3d0626e07861b1a7d595abf

SHA256
c10b87b1e36cb0d2a443d7310fa5bfab6643e61ee9088289ed88e7c3801b8574

SHA512
ac73e8f37dc49d4f2cc557e72e4f1384b75f654403986128e3be3e7f7221d36f331ce7334097e54b5ee347f1b4a34527effa6cbb3c82349801f9f7a70cb62e94

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
3.1MB

MD5
0a36404bc7506aca2c160b834ac20fed

SHA1
524239ccfd6fc3dfd04923c6565e64afd4258322

SHA256
abb0e5577264248032c6fd9e975be4a4e14bfd10865260e76c036c633a6f5931

SHA512
f27853517c7097492bb93e7cdf67c5885ad8059500546c716e18870483c4477999f721ca4ca45495725a4cb6ba1b44016eeea6d7196ad664731df1fac4e5eff4

Download Submit