107cc1212ea89108444411fe3e9f934f27d0b8646a5311fbc8040aef4b760a42

Analysis

max time kernel
149s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76d8f1df3af443e80741800dea5a9070_NEIKI.exe
Size

3.0MB
MD5

76d8f1df3af443e80741800dea5a9070
SHA1

19deba8426ad0c2b842b3125d8a4077b4ed5cb24
SHA256

107cc1212ea89108444411fe3e9f934f27d0b8646a5311fbc8040aef4b760a42
SHA512

54c10e190efd36819f10adece6478db7444fd74a5bd3e6fb817ec41774f0c56cccb178d6e0237b525b11ed3f9f85d272afb7ff65d0477238c45ec01853472810
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBOB/bSqz8:sxX7QnxrloE5dpUpNbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	76d8f1df3af443e80741800dea5a9070_NEIKI.exe

Executes dropped EXE 2 IoCs

pid	Process
3076	sysdevopti.exe
4068	xdobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc6T\\xdobloc.exe"	76d8f1df3af443e80741800dea5a9070_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid14\\boddevloc.exe"	76d8f1df3af443e80741800dea5a9070_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4640	76d8f1df3af443e80741800dea5a9070_NEIKI.exe
4640	76d8f1df3af443e80741800dea5a9070_NEIKI.exe
4640	76d8f1df3af443e80741800dea5a9070_NEIKI.exe
4640	76d8f1df3af443e80741800dea5a9070_NEIKI.exe
3076	sysdevopti.exe
3076	sysdevopti.exe
4068	xdobloc.exe
4068	xdobloc.exe
3076	sysdevopti.exe
3076	sysdevopti.exe
4068	xdobloc.exe
4068	xdobloc.exe
3076	sysdevopti.exe
3076	sysdevopti.exe
4068	xdobloc.exe
4068	xdobloc.exe
3076	sysdevopti.exe
3076	sysdevopti.exe
4068	xdobloc.exe
4068	xdobloc.exe
3076	sysdevopti.exe
3076	sysdevopti.exe
4068	xdobloc.exe
4068	xdobloc.exe
3076	sysdevopti.exe
3076	sysdevopti.exe
4068	xdobloc.exe
4068	xdobloc.exe
3076	sysdevopti.exe
3076	sysdevopti.exe
4068	xdobloc.exe
4068	xdobloc.exe
3076	sysdevopti.exe
3076	sysdevopti.exe
4068	xdobloc.exe
4068	xdobloc.exe
3076	sysdevopti.exe
3076	sysdevopti.exe
4068	xdobloc.exe
4068	xdobloc.exe
3076	sysdevopti.exe
3076	sysdevopti.exe
4068	xdobloc.exe
4068	xdobloc.exe
3076	sysdevopti.exe
3076	sysdevopti.exe
4068	xdobloc.exe
4068	xdobloc.exe
3076	sysdevopti.exe
3076	sysdevopti.exe
4068	xdobloc.exe
4068	xdobloc.exe
3076	sysdevopti.exe
3076	sysdevopti.exe
4068	xdobloc.exe
4068	xdobloc.exe
3076	sysdevopti.exe
3076	sysdevopti.exe
4068	xdobloc.exe
4068	xdobloc.exe
3076	sysdevopti.exe
3076	sysdevopti.exe
4068	xdobloc.exe
4068	xdobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 3076	4640	76d8f1df3af443e80741800dea5a9070_NEIKI.exe	90
PID 4640 wrote to memory of 3076	4640	76d8f1df3af443e80741800dea5a9070_NEIKI.exe	90
PID 4640 wrote to memory of 3076	4640	76d8f1df3af443e80741800dea5a9070_NEIKI.exe	90
PID 4640 wrote to memory of 4068	4640	76d8f1df3af443e80741800dea5a9070_NEIKI.exe	91
PID 4640 wrote to memory of 4068	4640	76d8f1df3af443e80741800dea5a9070_NEIKI.exe	91
PID 4640 wrote to memory of 4068	4640	76d8f1df3af443e80741800dea5a9070_NEIKI.exe	91

C:\Users\Admin\AppData\Local\Temp\76d8f1df3af443e80741800dea5a9070_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\76d8f1df3af443e80741800dea5a9070_NEIKI.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3076
- C:\Intelproc6T\xdobloc.exe
  C:\Intelproc6T\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc6T\xdobloc.exe

Filesize
3.0MB

MD5
1f3e9da4ba4a22e92c8c47938ec7301d

SHA1
9eaa94eecbb3afc5d8b9cae54626fdc680404389

SHA256
e2b1840e95f3d331d186d4142ff578ee1898dd26f9e8ae0b5274bd99c51c9e67

SHA512
d8d30c2d3a255850c5b8ad8e94c27839f1059ba540115ed9cd4787538b82cfaa46ad48b6fab3eeb2400db3736160ab79fbab650750c9780289e809d510d47269

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
208B

MD5
472853cfdd1f29a5ea641e95bc21e1cc

SHA1
c3a65719d2bdbfda03ed9e08f06a2af21c69b150

SHA256
e7728c87389167f9b0b9d82c8215818b13ff59f15a9bc7d8d6ee4b671a85a8e2

SHA512
fdc317502cc28e3f10e58e4cdace6ea25f283f02da29b9bf6faa0bc985145864f20995a3301a67899f55087bed4300ba8ffac15d2dab128f8330bd19c6c70a48

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
176B

MD5
f6e4f179dd53bae5fe74e6ce002e07a4

SHA1
04a5e92bbacc766d4ec6fa994e66cd377b0bfa41

SHA256
36270514fcd3dbeb00d5e0d768db23a029f516abafb9e65c5e794f8c6387674f

SHA512
920185723d022b377d5acaa640d84c148fdd4aad90bb556f0c10f037033cffea76d022721443b13584d6db7e4359713f8600f9ac1e3add4b3143415de53d2f86

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
3.0MB

MD5
5294181d963e58903eb2daec23ca66c7

SHA1
4dc5b4e0186d7cf4a8550038a91a384cc7f0eb8e

SHA256
38fc12208e4ca2f8bf943c186b52b9e79e17c2897232e29b764ac57efea189f2

SHA512
967428ef4315a29de0f434d9d9a005af79e363e7acdb2bfa78770102c59569b1622dc05bca74031ab74d5ebb158a7397d68d033ff70ed0dbdde6798ff0815446

Download Submit
C:\Vid14\boddevloc.exe

Filesize
464KB

MD5
a10fd5e4453d72341f2b720e50525998

SHA1
57a326d6db2654a580649725571859c81da796a3

SHA256
ac84fd09cd684d1c0430f0ece62e956f305c060e6528974bdb0e2f0b6e3f77c4

SHA512
b4c8a6fe33a5326658c454dbe0c384c80c5549088df2f569349bbdd3cf3cc9dc156fc1e22e31c23b999289be164adbb7cc550f194071e49179629c069fd14dbf

Download Submit
C:\Vid14\boddevloc.exe

Filesize
427KB

MD5
1ab1638ece129b9eaaede4e6b24165ee

SHA1
f37b4c238048db346dd0b2f5ce62e53d443b5234

SHA256
98bf0e7e06398137bed0b1131ca1e0d06f623b174c42d748cd5aff584eb606e2

SHA512
33815fa293ac07fcaffb93fcaa9fc609f03141023e5971c815a07bdff364bac8432822cc7ed32574910edffa21c7eb310e7f4868f480c0be7a2fbcbb26043290

Download Submit