b59b8f04ac20aa3b9a374e37d1d956837ad8f99349c09c54619b19041a05c5c9

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98a905235a42d7c38fcf83580d259360_NEIKI.exe
Size

2.6MB
MD5

98a905235a42d7c38fcf83580d259360
SHA1

3fd557d3049675e9f676b02b0d0e81eb2792dace
SHA256

b59b8f04ac20aa3b9a374e37d1d956837ad8f99349c09c54619b19041a05c5c9
SHA512

eb115a105ef725f807c977146dd39dcf5d287b3b77978c36222573dcb26a22fe044c74ba5a4c626e4fc31dd46da07791630326a8c909862355f98d5d97aee0f3
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB3B/bS:sxX7QnxrloE5dpUpwb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	98a905235a42d7c38fcf83580d259360_NEIKI.exe

Executes dropped EXE 2 IoCs

pid	Process
3416	ecaopti.exe
3916	aoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZBY\\bodxloc.exe"	98a905235a42d7c38fcf83580d259360_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeZ7\\aoptiec.exe"	98a905235a42d7c38fcf83580d259360_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4688	98a905235a42d7c38fcf83580d259360_NEIKI.exe
4688	98a905235a42d7c38fcf83580d259360_NEIKI.exe
4688	98a905235a42d7c38fcf83580d259360_NEIKI.exe
4688	98a905235a42d7c38fcf83580d259360_NEIKI.exe
3416	ecaopti.exe
3416	ecaopti.exe
3916	aoptiec.exe
3916	aoptiec.exe
3416	ecaopti.exe
3416	ecaopti.exe
3916	aoptiec.exe
3916	aoptiec.exe
3416	ecaopti.exe
3416	ecaopti.exe
3916	aoptiec.exe
3916	aoptiec.exe
3416	ecaopti.exe
3416	ecaopti.exe
3916	aoptiec.exe
3916	aoptiec.exe
3416	ecaopti.exe
3416	ecaopti.exe
3916	aoptiec.exe
3916	aoptiec.exe
3416	ecaopti.exe
3416	ecaopti.exe
3916	aoptiec.exe
3916	aoptiec.exe
3416	ecaopti.exe
3416	ecaopti.exe
3916	aoptiec.exe
3916	aoptiec.exe
3416	ecaopti.exe
3416	ecaopti.exe
3916	aoptiec.exe
3916	aoptiec.exe
3416	ecaopti.exe
3416	ecaopti.exe
3916	aoptiec.exe
3916	aoptiec.exe
3416	ecaopti.exe
3416	ecaopti.exe
3916	aoptiec.exe
3916	aoptiec.exe
3416	ecaopti.exe
3416	ecaopti.exe
3916	aoptiec.exe
3916	aoptiec.exe
3416	ecaopti.exe
3416	ecaopti.exe
3916	aoptiec.exe
3916	aoptiec.exe
3416	ecaopti.exe
3416	ecaopti.exe
3916	aoptiec.exe
3916	aoptiec.exe
3416	ecaopti.exe
3416	ecaopti.exe
3916	aoptiec.exe
3916	aoptiec.exe
3416	ecaopti.exe
3416	ecaopti.exe
3916	aoptiec.exe
3916	aoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4688 wrote to memory of 3416	4688	98a905235a42d7c38fcf83580d259360_NEIKI.exe	91
PID 4688 wrote to memory of 3416	4688	98a905235a42d7c38fcf83580d259360_NEIKI.exe	91
PID 4688 wrote to memory of 3416	4688	98a905235a42d7c38fcf83580d259360_NEIKI.exe	91
PID 4688 wrote to memory of 3916	4688	98a905235a42d7c38fcf83580d259360_NEIKI.exe	93
PID 4688 wrote to memory of 3916	4688	98a905235a42d7c38fcf83580d259360_NEIKI.exe	93
PID 4688 wrote to memory of 3916	4688	98a905235a42d7c38fcf83580d259360_NEIKI.exe	93

C:\Users\Admin\AppData\Local\Temp\98a905235a42d7c38fcf83580d259360_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\98a905235a42d7c38fcf83580d259360_NEIKI.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3416
- C:\AdobeZ7\aoptiec.exe
  C:\AdobeZ7\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeZ7\aoptiec.exe

Filesize
2.6MB

MD5
0231bf129989e68d7c3e1b28ad4a8dec

SHA1
6c0309dd5ab053d3f2125ce37f76889d2d9d173b

SHA256
0900e31f17dffb1b7d8fad8399830e756530aadddf0c369714c41bf224a24f39

SHA512
408b219855cbe7a13db59249786c3a5d6aca59f304bb9aafc081e661cac35d6126fdc2f2296e2062cee33ce847c4d941170db898e6613f388d0129086bbf206d

Download Submit
C:\LabZBY\bodxloc.exe

Filesize
90KB

MD5
614c779a340bc63bbb2c6fd44b690a8e

SHA1
afc2af3aa2647905de3ffbdfdd2298611e627c6e

SHA256
0bcd4c1676d7c7b2869f5823102b8d5ab5b5185d56a9ed14bac5a403b2b6f41f

SHA512
c92e60d8488e2d88c1bb5679870786c0614aa2026a2788f11b255ddabc6e73bb30569fa7487befa7a8d71a989cf0ceebcac4e1cf59d6f79df76a46a6c805e4dc

Download Submit
C:\LabZBY\bodxloc.exe

Filesize
2.6MB

MD5
7ff797459da4d10d41cfb012d2bb2179

SHA1
c97f3b10e9ab6f01d90a8ea8cbc0821845417149

SHA256
ed9fa547683492e050fc52d4ad4068b10c8754f0d17ef98eeeee083a27089fd9

SHA512
9221094c22283a0eea010d4f277f0d6025fa056b2a33b982b5e776a53efde80c8f636a486c4df23880dc6c2a021e6e79b6f9428ee81ae48699862feaecec4425

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
054970b016ae51adfb9cfc9458f54231

SHA1
597d29a3d0fd1b6f722d109aa3889c338238f6bb

SHA256
45577945dd22d96171c44c439986b54219c08906cb3ab1da25cea56ab9ad31a1

SHA512
8e9a05e4990c4eea8f82546d20afeead136276058b4959e5650ce5d02f355fc03473cc8a75c77e6b10532fe74a32b1b00122dbf6a7f12aa161b78f6f4b2839a2

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
78c970f7e74563f4c929e35481659ca6

SHA1
275cc6d254e75715cc46ab7e600124359af741fb

SHA256
50bdd37a0798f86b10537850fb694aea62e17d7f2ab8f73d43afdfaca8402d64

SHA512
4ede6ca2baf432111bbc8491e2ab8fdc8e0758c8cb0ec5e5427108c5a2b24d5533d6eaae6140e803d514ecc992ddf69deba5bcd90f66ac274aa3cd7fe5dd2890

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
2.6MB

MD5
c61f233a3e3cf15ca6f3d652f90ebc24

SHA1
55e24028111466b381626f6136ff0835f8a5bd94

SHA256
473ca3872d3eea6fa909f628dfe0994d1d1b092a26d949f0201557b755f4caad

SHA512
31ad3e4136dc6253d54917dc95926eb43145c34502a172bea2c9a136998f654f63b228cfaa37638dac53641ea49b37a87b8c0e399eb90fa5210791bbfe9df61e

Download Submit