65f1330af4739c156b196d674fcf3dd31cd570ea922914fbdc87ee1f6deb58ed

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe
Size

3.1MB
MD5

2e8357acbfdf0f648b43847ef84f9350
SHA1

12f636359dc489e37712f6001b0201a60bde8ea4
SHA256

65f1330af4739c156b196d674fcf3dd31cd570ea922914fbdc87ee1f6deb58ed
SHA512

0ab838d6f4e242a8cabefcda3d6958235b6f6fb4eec673b668ebc001310efc12f26b3d9fb9c9ebe0942fd098d454fd5781397442e28d4ecfdb7db4c7cf7af876
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpqbVz8eLFc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe

Executes dropped EXE 2 IoCs

pid	Process
4888	locadob.exe
2884	abodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot2B\\abodloc.exe"	2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintAC\\optiasys.exe"	2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1188	2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe
1188	2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe
1188	2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe
1188	2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe
4888	locadob.exe
4888	locadob.exe
2884	abodloc.exe
2884	abodloc.exe
4888	locadob.exe
4888	locadob.exe
2884	abodloc.exe
2884	abodloc.exe
4888	locadob.exe
4888	locadob.exe
2884	abodloc.exe
2884	abodloc.exe
4888	locadob.exe
4888	locadob.exe
2884	abodloc.exe
2884	abodloc.exe
4888	locadob.exe
4888	locadob.exe
2884	abodloc.exe
2884	abodloc.exe
4888	locadob.exe
4888	locadob.exe
2884	abodloc.exe
2884	abodloc.exe
4888	locadob.exe
4888	locadob.exe
2884	abodloc.exe
2884	abodloc.exe
4888	locadob.exe
4888	locadob.exe
2884	abodloc.exe
2884	abodloc.exe
4888	locadob.exe
4888	locadob.exe
2884	abodloc.exe
2884	abodloc.exe
4888	locadob.exe
4888	locadob.exe
2884	abodloc.exe
2884	abodloc.exe
4888	locadob.exe
4888	locadob.exe
2884	abodloc.exe
2884	abodloc.exe
4888	locadob.exe
4888	locadob.exe
2884	abodloc.exe
2884	abodloc.exe
4888	locadob.exe
4888	locadob.exe
2884	abodloc.exe
2884	abodloc.exe
4888	locadob.exe
4888	locadob.exe
2884	abodloc.exe
2884	abodloc.exe
4888	locadob.exe
4888	locadob.exe
2884	abodloc.exe
2884	abodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 4888	1188	2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe	90
PID 1188 wrote to memory of 4888	1188	2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe	90
PID 1188 wrote to memory of 4888	1188	2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe	90
PID 1188 wrote to memory of 2884	1188	2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe	94
PID 1188 wrote to memory of 2884	1188	2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe	94
PID 1188 wrote to memory of 2884	1188	2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe	94

C:\Users\Admin\AppData\Local\Temp\2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4888
- C:\UserDot2B\abodloc.exe
  C:\UserDot2B\abodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintAC\optiasys.exe

Filesize
1.2MB

MD5
51387bf65f6ab52367768502a2735d4f

SHA1
adcba95f62ed11a127237a38267dbea37b262242

SHA256
95db967c76a97f220ac69083da8205dc232cb635dad141b4ce7b59ba2778182e

SHA512
62a1c5440a88ccdf2a2a912e0f4b677e0b1955ff22222c62664b5a0e8a9fd5c8061bdd404a9e2058552da4a379d8195ff64f4c9a39b1c38daaaf8612096b6297

Download Submit
C:\MintAC\optiasys.exe

Filesize
1.3MB

MD5
c0a5f15b4dfebb4bda21132d2e81c248

SHA1
08fef8812b6cd03a75cff3422364673639461790

SHA256
5a9289825a84cd60e3d97e45655b2ccf5b6a1d9a51cbcd55da54628927cedeaf

SHA512
0346f969b79f35f7ad6ab00f95b00a84bca3d1c818546b2567d1458c7ec535758b8b892666937234356835b662f6a7a6c58fd7f5cb2242acbaf0fc0b8b7821fe

Download Submit
C:\UserDot2B\abodloc.exe

Filesize
3.1MB

MD5
fb92aca71100e0cb7ba9406426f745b7

SHA1
d8a57d94080034024465265781f292aec997e144

SHA256
5689da54712ac6801fc0b82d67ab9f5160313d06f7cc2f557bf2cd6099c03bea

SHA512
842b4fa3dde3cd03ce2846fd6affd017f0ca432cd3d27c3f8971a82b2d6d4063f66ff1bffbc8ac4772d3b6b7679634117a2b201b4d4d48bfba5eb629d26d33fa

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
5979291c56ffcc70f8997be4c0694b01

SHA1
7522fa1055e6dccdffee1b0179f6ccf65eefe4cc

SHA256
b2a217e27dd372897039426f7bcaa9508fa45bb272d9fe9734c2da5a96a8704b

SHA512
f8bfc0cd1440f4d6f3d4efcb7383dbad627df3fd63892c587239e83c37670dec874f37a33df082dfeb001b8a11824e6962fddb44828f311ec6db21fd96f27d4c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
4eb88432a06fce965baa86c462c3cb97

SHA1
fde18834e105e7d7ea22084e5d1d7ae5680797ab

SHA256
a55e802c6e8452dba3f0f492afcb65395e1cbcdfe2d407eff2f1a71fae84d07c

SHA512
b1354126af0726f568942f3e91f90dcef1f3f1e301e549928d7d86a0e404f7e0e4277be605b1500a5ebec3b8ee3faef2cf563a7ed09a5605b71933422d7a327a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
3.1MB

MD5
620dc7e5db34f96b1665e5bab010c107

SHA1
9032be17f1db216ce9a0688087a9ad3199ad7097

SHA256
4d58c80731104e9ecb53addc79154db5be30911004422a1d226953dcccd5ac72

SHA512
edfc4b03a737e9504d1b9dad5e62c706130eed00a79ac93039a7c9ecdbccbacf22c303b9f8623fe0ac194030c35cfacb4b657495a771708f61a76a1e98399cdb

Download Submit