Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 20:51
Static task
static1
Behavioral task
behavioral1
Sample
2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe
Resource
win10v2004-20240419-en
General
-
Target
2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe
-
Size
3.1MB
-
MD5
2e8357acbfdf0f648b43847ef84f9350
-
SHA1
12f636359dc489e37712f6001b0201a60bde8ea4
-
SHA256
65f1330af4739c156b196d674fcf3dd31cd570ea922914fbdc87ee1f6deb58ed
-
SHA512
0ab838d6f4e242a8cabefcda3d6958235b6f6fb4eec673b668ebc001310efc12f26b3d9fb9c9ebe0942fd098d454fd5781397442e28d4ecfdb7db4c7cf7af876
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpqbVz8eLFc
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe 2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe -
Executes dropped EXE 2 IoCs
pid Process 4888 locadob.exe 2884 abodloc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot2B\\abodloc.exe" 2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintAC\\optiasys.exe" 2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1188 2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe 1188 2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe 1188 2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe 1188 2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe 4888 locadob.exe 4888 locadob.exe 2884 abodloc.exe 2884 abodloc.exe 4888 locadob.exe 4888 locadob.exe 2884 abodloc.exe 2884 abodloc.exe 4888 locadob.exe 4888 locadob.exe 2884 abodloc.exe 2884 abodloc.exe 4888 locadob.exe 4888 locadob.exe 2884 abodloc.exe 2884 abodloc.exe 4888 locadob.exe 4888 locadob.exe 2884 abodloc.exe 2884 abodloc.exe 4888 locadob.exe 4888 locadob.exe 2884 abodloc.exe 2884 abodloc.exe 4888 locadob.exe 4888 locadob.exe 2884 abodloc.exe 2884 abodloc.exe 4888 locadob.exe 4888 locadob.exe 2884 abodloc.exe 2884 abodloc.exe 4888 locadob.exe 4888 locadob.exe 2884 abodloc.exe 2884 abodloc.exe 4888 locadob.exe 4888 locadob.exe 2884 abodloc.exe 2884 abodloc.exe 4888 locadob.exe 4888 locadob.exe 2884 abodloc.exe 2884 abodloc.exe 4888 locadob.exe 4888 locadob.exe 2884 abodloc.exe 2884 abodloc.exe 4888 locadob.exe 4888 locadob.exe 2884 abodloc.exe 2884 abodloc.exe 4888 locadob.exe 4888 locadob.exe 2884 abodloc.exe 2884 abodloc.exe 4888 locadob.exe 4888 locadob.exe 2884 abodloc.exe 2884 abodloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1188 wrote to memory of 4888 1188 2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe 90 PID 1188 wrote to memory of 4888 1188 2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe 90 PID 1188 wrote to memory of 4888 1188 2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe 90 PID 1188 wrote to memory of 2884 1188 2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe 94 PID 1188 wrote to memory of 2884 1188 2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe 94 PID 1188 wrote to memory of 2884 1188 2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\2e8357acbfdf0f648b43847ef84f9350_NEIKI.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4888
-
-
C:\UserDot2B\abodloc.exeC:\UserDot2B\abodloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2884
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD551387bf65f6ab52367768502a2735d4f
SHA1adcba95f62ed11a127237a38267dbea37b262242
SHA25695db967c76a97f220ac69083da8205dc232cb635dad141b4ce7b59ba2778182e
SHA51262a1c5440a88ccdf2a2a912e0f4b677e0b1955ff22222c62664b5a0e8a9fd5c8061bdd404a9e2058552da4a379d8195ff64f4c9a39b1c38daaaf8612096b6297
-
Filesize
1.3MB
MD5c0a5f15b4dfebb4bda21132d2e81c248
SHA108fef8812b6cd03a75cff3422364673639461790
SHA2565a9289825a84cd60e3d97e45655b2ccf5b6a1d9a51cbcd55da54628927cedeaf
SHA5120346f969b79f35f7ad6ab00f95b00a84bca3d1c818546b2567d1458c7ec535758b8b892666937234356835b662f6a7a6c58fd7f5cb2242acbaf0fc0b8b7821fe
-
Filesize
3.1MB
MD5fb92aca71100e0cb7ba9406426f745b7
SHA1d8a57d94080034024465265781f292aec997e144
SHA2565689da54712ac6801fc0b82d67ab9f5160313d06f7cc2f557bf2cd6099c03bea
SHA512842b4fa3dde3cd03ce2846fd6affd017f0ca432cd3d27c3f8971a82b2d6d4063f66ff1bffbc8ac4772d3b6b7679634117a2b201b4d4d48bfba5eb629d26d33fa
-
Filesize
203B
MD55979291c56ffcc70f8997be4c0694b01
SHA17522fa1055e6dccdffee1b0179f6ccf65eefe4cc
SHA256b2a217e27dd372897039426f7bcaa9508fa45bb272d9fe9734c2da5a96a8704b
SHA512f8bfc0cd1440f4d6f3d4efcb7383dbad627df3fd63892c587239e83c37670dec874f37a33df082dfeb001b8a11824e6962fddb44828f311ec6db21fd96f27d4c
-
Filesize
171B
MD54eb88432a06fce965baa86c462c3cb97
SHA1fde18834e105e7d7ea22084e5d1d7ae5680797ab
SHA256a55e802c6e8452dba3f0f492afcb65395e1cbcdfe2d407eff2f1a71fae84d07c
SHA512b1354126af0726f568942f3e91f90dcef1f3f1e301e549928d7d86a0e404f7e0e4277be605b1500a5ebec3b8ee3faef2cf563a7ed09a5605b71933422d7a327a
-
Filesize
3.1MB
MD5620dc7e5db34f96b1665e5bab010c107
SHA19032be17f1db216ce9a0688087a9ad3199ad7097
SHA2564d58c80731104e9ecb53addc79154db5be30911004422a1d226953dcccd5ac72
SHA512edfc4b03a737e9504d1b9dad5e62c706130eed00a79ac93039a7c9ecdbccbacf22c303b9f8623fe0ac194030c35cfacb4b657495a771708f61a76a1e98399cdb