107cc1212ea89108444411fe3e9f934f27d0b8646a5311fbc8040aef4b760a42

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
08/05/2024, 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76d8f1df3af443e80741800dea5a9070_NEIKI.exe
Size

3.0MB
MD5

76d8f1df3af443e80741800dea5a9070
SHA1

19deba8426ad0c2b842b3125d8a4077b4ed5cb24
SHA256

107cc1212ea89108444411fe3e9f934f27d0b8646a5311fbc8040aef4b760a42
SHA512

54c10e190efd36819f10adece6478db7444fd74a5bd3e6fb817ec41774f0c56cccb178d6e0237b525b11ed3f9f85d272afb7ff65d0477238c45ec01853472810
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBOB/bSqz8:sxX7QnxrloE5dpUpNbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	76d8f1df3af443e80741800dea5a9070_NEIKI.exe

Executes dropped EXE 2 IoCs

pid	Process
2636	sysxdob.exe
2204	devdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
3056	76d8f1df3af443e80741800dea5a9070_NEIKI.exe
3056	76d8f1df3af443e80741800dea5a9070_NEIKI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotBP\\devdobec.exe"	76d8f1df3af443e80741800dea5a9070_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidD5\\optixec.exe"	76d8f1df3af443e80741800dea5a9070_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3056	76d8f1df3af443e80741800dea5a9070_NEIKI.exe
3056	76d8f1df3af443e80741800dea5a9070_NEIKI.exe
2636	sysxdob.exe
2204	devdobec.exe
2636	sysxdob.exe
2204	devdobec.exe
2636	sysxdob.exe
2204	devdobec.exe
2636	sysxdob.exe
2204	devdobec.exe
2636	sysxdob.exe
2204	devdobec.exe
2636	sysxdob.exe
2204	devdobec.exe
2636	sysxdob.exe
2204	devdobec.exe
2636	sysxdob.exe
2204	devdobec.exe
2636	sysxdob.exe
2204	devdobec.exe
2636	sysxdob.exe
2204	devdobec.exe
2636	sysxdob.exe
2204	devdobec.exe
2636	sysxdob.exe
2204	devdobec.exe
2636	sysxdob.exe
2204	devdobec.exe
2636	sysxdob.exe
2204	devdobec.exe
2636	sysxdob.exe
2204	devdobec.exe
2636	sysxdob.exe
2204	devdobec.exe
2636	sysxdob.exe
2204	devdobec.exe
2636	sysxdob.exe
2204	devdobec.exe
2636	sysxdob.exe
2204	devdobec.exe
2636	sysxdob.exe
2204	devdobec.exe
2636	sysxdob.exe
2204	devdobec.exe
2636	sysxdob.exe
2204	devdobec.exe
2636	sysxdob.exe
2204	devdobec.exe
2636	sysxdob.exe
2204	devdobec.exe
2636	sysxdob.exe
2204	devdobec.exe
2636	sysxdob.exe
2204	devdobec.exe
2636	sysxdob.exe
2204	devdobec.exe
2636	sysxdob.exe
2204	devdobec.exe
2636	sysxdob.exe
2204	devdobec.exe
2636	sysxdob.exe
2204	devdobec.exe
2636	sysxdob.exe
2204	devdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2636	3056	76d8f1df3af443e80741800dea5a9070_NEIKI.exe	28
PID 3056 wrote to memory of 2636	3056	76d8f1df3af443e80741800dea5a9070_NEIKI.exe	28
PID 3056 wrote to memory of 2636	3056	76d8f1df3af443e80741800dea5a9070_NEIKI.exe	28
PID 3056 wrote to memory of 2636	3056	76d8f1df3af443e80741800dea5a9070_NEIKI.exe	28
PID 3056 wrote to memory of 2204	3056	76d8f1df3af443e80741800dea5a9070_NEIKI.exe	29
PID 3056 wrote to memory of 2204	3056	76d8f1df3af443e80741800dea5a9070_NEIKI.exe	29
PID 3056 wrote to memory of 2204	3056	76d8f1df3af443e80741800dea5a9070_NEIKI.exe	29
PID 3056 wrote to memory of 2204	3056	76d8f1df3af443e80741800dea5a9070_NEIKI.exe	29

C:\Users\Admin\AppData\Local\Temp\76d8f1df3af443e80741800dea5a9070_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\76d8f1df3af443e80741800dea5a9070_NEIKI.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2636
- C:\UserDotBP\devdobec.exe
  C:\UserDotBP\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotBP\devdobec.exe

Filesize
3.0MB

MD5
93cbc279e49e8dbe168b4e2cbe76398d

SHA1
ac9c2c57444997f04f92c7ae1c37e378e0e62fe9

SHA256
e544c5182fac424cccf97b438d47ca7768ca319cc5e1e0063abcd1109a2729c6

SHA512
e26b1d8892e3b36fa68f04d5e736041d0eda5297ad234b751428cb05905688fdc2a1f752c95e9539e0111afa820b2e7bddd527004457bcd467dbe5acb2f659ce

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
7425a988321152a3c7304e2d118191f1

SHA1
aa1713fbc85760d49cadfd4526e57772ea87a1ff

SHA256
302debf8b45e34835370bc238c7593bd7d287025ef350a00f4346c39d28cd868

SHA512
76c8b99af798e5b40e866757da31f2a0dcc625a9045c8eee95fe0136a78fcf53f27bd12a56e41838be4734f90866578a27d423cabcf4f82be53f6baef9b9081a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
50f2428679aa595072b99c02f70af307

SHA1
a04e2e17364e9d168d7c36eb356fae44e64d6c89

SHA256
bf53a8e40b25a488ed5803119a8163231553164bf1b12cf66ae35386f7266985

SHA512
e7c45701d7166b3feedce2b64b211440c92c86cdb2b45cb18948ed3b5e144942e5a9a367248a2a12d72fedac37a4ffcbe1fb8c9820b78da8babd1be9755536a8

Download Submit
C:\VidD5\optixec.exe

Filesize
2.3MB

MD5
3f6ddfbef66ce4de53e2e5a0165bb8d5

SHA1
c195a138a3cd7996ac69befc6a8c2dd67a8ab289

SHA256
384af4f6601befd55b41aa9ef3fa1b0124d0390054a2b38c7efe13fc0b51b667

SHA512
8096664b9f8cc80cf1851e9d0b6ca1d805465549081dafc9a06100987c119e87e0dd30a2930843777932f6d61e5e11a598f9f668af07d4dc1a741ecfc0464910

Download Submit
C:\VidD5\optixec.exe

Filesize
3.0MB

MD5
7928c22848baf640d8bdf509f72519e8

SHA1
31b6bbb6d41f1b2a99c05e1fd6e40a8c65baf860

SHA256
f0f888ab91513807f8e7cac5b6dd8b6ea9810163a927e44508890bf12aafa265

SHA512
4abf87e239442bb92fe0396843494b1fcebc85bb0e1f6c16ae3a1b9a1796522920d5a3e92093ac212e6bedc8d95b79bba8f677e770cbe0a825357aac1206c285

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
3.0MB

MD5
2bc5ca389e84dc44b1dea4e8b03cdfbb

SHA1
3dad75f18cbc3eff0c4f332085fe8c0abbb1cb94

SHA256
03dc42240853c2c8a6cd7d110969a03b31b07dae257f45f829b47074701cf751

SHA512
32193fe65912a52453a684495816e8f8b7c99ebb87464dbc7a76b91e55bc49e8806cdaee347b12826fba3b38b823799c0fdca71963214e3396face9903cfab66

Download Submit