377fd6d5890fa781718d6ef62c8fb24c185b8c33a1f37f27675fb904b8ddbf53

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/05/2024, 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82097a389291ac325a3d5c88ea199f50_NEIKI.exe
Size

3.1MB
MD5

82097a389291ac325a3d5c88ea199f50
SHA1

42916683236894449bff411e54b8918276e3ba7e
SHA256

377fd6d5890fa781718d6ef62c8fb24c185b8c33a1f37f27675fb904b8ddbf53
SHA512

be2eb1c842f3c24acdc6e03dbef0535a75b890de3a17f88be3125bca3b698b2ec0981a581de16a58282c7c78074834368531077b53d7f159358f603ce1a0073e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBCB/bSqz8:sxX7QnxrloE5dpUpRbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	82097a389291ac325a3d5c88ea199f50_NEIKI.exe

Executes dropped EXE 2 IoCs

pid	Process
1896	ecdevbod.exe
2680	abodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2804	82097a389291ac325a3d5c88ea199f50_NEIKI.exe
2804	82097a389291ac325a3d5c88ea199f50_NEIKI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files0V\\abodec.exe"	82097a389291ac325a3d5c88ea199f50_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidP7\\dobdevsys.exe"	82097a389291ac325a3d5c88ea199f50_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2804	82097a389291ac325a3d5c88ea199f50_NEIKI.exe
2804	82097a389291ac325a3d5c88ea199f50_NEIKI.exe
1896	ecdevbod.exe
2680	abodec.exe
1896	ecdevbod.exe
2680	abodec.exe
1896	ecdevbod.exe
2680	abodec.exe
1896	ecdevbod.exe
2680	abodec.exe
1896	ecdevbod.exe
2680	abodec.exe
1896	ecdevbod.exe
2680	abodec.exe
1896	ecdevbod.exe
2680	abodec.exe
1896	ecdevbod.exe
2680	abodec.exe
1896	ecdevbod.exe
2680	abodec.exe
1896	ecdevbod.exe
2680	abodec.exe
1896	ecdevbod.exe
2680	abodec.exe
1896	ecdevbod.exe
2680	abodec.exe
1896	ecdevbod.exe
2680	abodec.exe
1896	ecdevbod.exe
2680	abodec.exe
1896	ecdevbod.exe
2680	abodec.exe
1896	ecdevbod.exe
2680	abodec.exe
1896	ecdevbod.exe
2680	abodec.exe
1896	ecdevbod.exe
2680	abodec.exe
1896	ecdevbod.exe
2680	abodec.exe
1896	ecdevbod.exe
2680	abodec.exe
1896	ecdevbod.exe
2680	abodec.exe
1896	ecdevbod.exe
2680	abodec.exe
1896	ecdevbod.exe
2680	abodec.exe
1896	ecdevbod.exe
2680	abodec.exe
1896	ecdevbod.exe
2680	abodec.exe
1896	ecdevbod.exe
2680	abodec.exe
1896	ecdevbod.exe
2680	abodec.exe
1896	ecdevbod.exe
2680	abodec.exe
1896	ecdevbod.exe
2680	abodec.exe
1896	ecdevbod.exe
2680	abodec.exe
1896	ecdevbod.exe
2680	abodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 1896	2804	82097a389291ac325a3d5c88ea199f50_NEIKI.exe	28
PID 2804 wrote to memory of 1896	2804	82097a389291ac325a3d5c88ea199f50_NEIKI.exe	28
PID 2804 wrote to memory of 1896	2804	82097a389291ac325a3d5c88ea199f50_NEIKI.exe	28
PID 2804 wrote to memory of 1896	2804	82097a389291ac325a3d5c88ea199f50_NEIKI.exe	28
PID 2804 wrote to memory of 2680	2804	82097a389291ac325a3d5c88ea199f50_NEIKI.exe	29
PID 2804 wrote to memory of 2680	2804	82097a389291ac325a3d5c88ea199f50_NEIKI.exe	29
PID 2804 wrote to memory of 2680	2804	82097a389291ac325a3d5c88ea199f50_NEIKI.exe	29
PID 2804 wrote to memory of 2680	2804	82097a389291ac325a3d5c88ea199f50_NEIKI.exe	29

C:\Users\Admin\AppData\Local\Temp\82097a389291ac325a3d5c88ea199f50_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\82097a389291ac325a3d5c88ea199f50_NEIKI.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1896
- C:\Files0V\abodec.exe
  C:\Files0V\abodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files0V\abodec.exe

Filesize
3.1MB

MD5
847f5b71e093dee5f90eb81ef0fb5c83

SHA1
c93994998ff3675f65306f645e794171cfc64623

SHA256
989624ffaceb43b569bc3fcf27b55c1c295cac2fa376cbfba444c46616013192

SHA512
a572bf08406c2bf3b3b659904828ecc586079a61924512955f59c3108678459ccd7fbc7786ffb1c939cd8bd2274396bacbd6edf4bc9029ba6204260402895793

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
794dd431b66eaa9ff4e273c68250cba8

SHA1
111749cb64a0db53dea86cafd4cda3b56769e0cf

SHA256
d7c12ca18fdfe910811e67d2276ecd6d6274ee31094b156f1c7cb80d2ef939be

SHA512
ed35c7bbf5e083871c729b96be29702072ecf7742c637168ee65f9b66e2119f4025de65a39d488c3c2190db9f21f4e6cb859215d2aad1063edc49f58a856ebd5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
3741afb2eb9d54c48bbc8ccb71b0a516

SHA1
f9f51e8b80c3a5cc6025d8967d0900d3a0cdd222

SHA256
a5f3ea30aa9459f3aced54c3d1685670c569c203c118aa11b54421f0594c2134

SHA512
5a40cef3a792ba397145f05cd9e6f05c4b85a9a5f506ca40f5d9b72f7e3a0e3a51bf2250cc2283d766b07ac5b7552c4f8d42a119f968f0ccfe19b507cc47618e

Download Submit
C:\VidP7\dobdevsys.exe

Filesize
3.1MB

MD5
d9a647c2a0b1a1bc95d81eaa4696b15b

SHA1
c9c72306fd80befcf52e7704236cd44f95f2b1cc

SHA256
7759cb747dad313c33a999c73b9f435c14c6612a4114405dabbf6519d3abd5f9

SHA512
ae4b7d3f94cd39bea583b8ac94e9530c6e9fabe2de2abe86e2fc9e668eadb0b1f997fe47e8c9510ccecb187000a00638f35a0f5659d90a4d38d9b29e1d556531

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
3.1MB

MD5
d8b9ae221c3634505545a95320c639d5

SHA1
d60a03f1d808d2c8da9991069eb9c68eb0f7a247

SHA256
88db59f4f650e6424a736a8ddd69274cbbee08210cdc460e8677e29b834cd3de

SHA512
8f8d38a44e6490e8b1ab8c752ebecf685d5e33fbae6ba07cb8ebc6cf7780db02638ab47d30960caa9199a5f120f78f0218705c89223a865662fa206f55479214

Download Submit