122206905a59e09641f7da160b560adeb1dba86878af315b65de07fae12b8331

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/05/2024, 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe
Size

4.0MB
MD5

72fd6e866a4b053c05123393dd6fcae0
SHA1

c914dd795c00507039d5e7527e893c8008d0c0d3
SHA256

122206905a59e09641f7da160b560adeb1dba86878af315b65de07fae12b8331
SHA512

3fdaed3acf28795f0fe80b5af203dde3b375596a292d6e1161d1313a3aaedc80fcc4a99e35a392ae1116294b1eee63be41aba2fe9b558df66e62b7d1b25d61dd
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpQbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe

Executes dropped EXE 3 IoCs

pid	Process
2608	locxdob.exe
2696	devbodloc.exe
2676	devbodloc.exe

Loads dropped DLL 3 IoCs

pid	Process
1760	72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe
1760	72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe
2608	locxdob.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesSM\\devbodloc.exe"	72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ3V\\optidevec.exe"	72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1760	72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe
1760	72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe
2608	locxdob.exe
2608	locxdob.exe
2696	devbodloc.exe
2676	devbodloc.exe
2608	locxdob.exe
2676	devbodloc.exe
2608	locxdob.exe
2676	devbodloc.exe
2608	locxdob.exe
2676	devbodloc.exe
2608	locxdob.exe
2676	devbodloc.exe
2608	locxdob.exe
2676	devbodloc.exe
2608	locxdob.exe
2676	devbodloc.exe
2608	locxdob.exe
2676	devbodloc.exe
2608	locxdob.exe
2676	devbodloc.exe
2608	locxdob.exe
2676	devbodloc.exe
2608	locxdob.exe
2676	devbodloc.exe
2608	locxdob.exe
2676	devbodloc.exe
2608	locxdob.exe
2676	devbodloc.exe
2608	locxdob.exe
2676	devbodloc.exe
2608	locxdob.exe
2676	devbodloc.exe
2608	locxdob.exe
2676	devbodloc.exe
2608	locxdob.exe
2676	devbodloc.exe
2608	locxdob.exe
2676	devbodloc.exe
2608	locxdob.exe
2676	devbodloc.exe
2608	locxdob.exe
2676	devbodloc.exe
2608	locxdob.exe
2676	devbodloc.exe
2608	locxdob.exe
2676	devbodloc.exe
2608	locxdob.exe
2676	devbodloc.exe
2608	locxdob.exe
2676	devbodloc.exe
2608	locxdob.exe
2676	devbodloc.exe
2608	locxdob.exe
2676	devbodloc.exe
2608	locxdob.exe
2676	devbodloc.exe
2608	locxdob.exe
2676	devbodloc.exe
2608	locxdob.exe
2676	devbodloc.exe
2608	locxdob.exe
2676	devbodloc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 2608	1760	72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe	28
PID 1760 wrote to memory of 2608	1760	72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe	28
PID 1760 wrote to memory of 2608	1760	72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe	28
PID 1760 wrote to memory of 2608	1760	72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe	28
PID 2608 wrote to memory of 2696	2608	locxdob.exe	30
PID 2608 wrote to memory of 2696	2608	locxdob.exe	30
PID 2608 wrote to memory of 2696	2608	locxdob.exe	30
PID 2608 wrote to memory of 2696	2608	locxdob.exe	30
PID 1760 wrote to memory of 2676	1760	72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe	29
PID 1760 wrote to memory of 2676	1760	72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe	29
PID 1760 wrote to memory of 2676	1760	72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe	29
PID 1760 wrote to memory of 2676	1760	72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe	29

C:\Users\Admin\AppData\Local\Temp\72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\FilesSM\devbodloc.exe
    C:\FilesSM\devbodloc.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2696
- C:\FilesSM\devbodloc.exe
  C:\FilesSM\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesSM\devbodloc.exe

Filesize
4.0MB

MD5
536a605c77c8f758ef1f4e0c74557640

SHA1
897fa8f627f54ac8c94f5b2cfafccac8fd2f80af

SHA256
a758329886c6a98ca33f793637930ff871f6c6bca1be70222263049798c248f0

SHA512
2a4406a9e5a46557861f1b830ee16d5cd45d7cda9f781606924798fe66ee4af4fe23995da0650506749b77c86c109a9a30d6bf2dbeca2f50bcc3eb078bc36355

Download Submit
C:\LabZ3V\optidevec.exe

Filesize
4.0MB

MD5
d89a94cdbd1d6a3d59b8d87427b8fc34

SHA1
fb3b80693c2dbb00e5a6ba8cffa9f5a97cfcf0fb

SHA256
47d93c053b2857505b3f61aaba4585529fa05605e11bce9f3a4322d595ef6216

SHA512
8c5e11b76a49dbc4b87a61c62a9c0780132737fe946685d7a2a25017ac84c8af0505b73b9c207523208157f3b54f31e08870c81e78d221660b44e2ffd750e6f1

Download Submit
C:\LabZ3V\optidevec.exe

Filesize
4.0MB

MD5
b6ed1409eaf1e11a0508dde38123c63b

SHA1
75e74575a58e961ab68c57b633c69b357af61f6b

SHA256
2ce3e8b920a7bd0e3c69f093722c97b748cb1771c0d64bbafbf372a28b583f4b

SHA512
0176f226bd1e92878f7d7cf1e6e8eae365455bbe5163da2f8fd96bc870891bd3057c4d4c388db8ca6b72df912c2577c79cdec9dfce7c8cc782c003b28bfffd4f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
dfcc7d9457814253bbafcc1788313c4c

SHA1
70a80a73b329f4c588e8b64b4f15f1f0e6921345

SHA256
1f860be5f295834446b5c93982e25f2e324ebfd6af36b38d299b358661e8aefd

SHA512
5ae8e07e2a03f9594b592370970ee5f82f9537460925858837027d5fceece0714e3e002a28dc5b07b935e462d756f886951486f0f5aaa1e48f8c48d33daeb270

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
ed22aca4560879d84b79671980055814

SHA1
b3873cde43dd082603035959a0fcebb0598097d1

SHA256
388c5f74e669d7ad25c7a16af9510dfc72be8f7a7501871be74e9259141093f1

SHA512
35ce95d5aa1862c53b636f2d58c5ba23cac1a61c0efe5e5ba1f4efdd5e9141f3e6f1c4a3ae98f7a28d654979f0a757a0ef58b9facf0fb1134fbed694d0dba0d5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
4.0MB

MD5
e15e19733ffa9ccece1a9e05cb2028c6

SHA1
ff8b6092625b0bac896d2a9c6fc6a3f0f13406b5

SHA256
18c146525ce32d43a462353c5e8630a1aacc88794099ae95649620bae1a67fe1

SHA512
e017507cb12da020611d84d03cd08b6133681d1a5433391faf2ec39e0d36a08b360b659cffbbe3da124792d3b0b4628e963f4662719a06cac45c9b8fa297d280

Download Submit