5bf7dfa476f878e494502e11b60216f8445bf9e87991869dec96becf0a1dee3e

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
08-05-2024 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93ebb4a9a9739d38184681e4068b8d70_NEIKI.exe
Size

4.1MB
MD5

93ebb4a9a9739d38184681e4068b8d70
SHA1

8509a1863994f8f181e38f4e18f062b0da39cb20
SHA256

5bf7dfa476f878e494502e11b60216f8445bf9e87991869dec96becf0a1dee3e
SHA512

5af841b59f96c324da8def1f53579d2d794e360ad242981456bde67f281f54d7237119b352be4fc6ab0fbf16acad50bd27eb0560ff10405d64026257015d4fdd
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpHbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe	93ebb4a9a9739d38184681e4068b8d70_NEIKI.exe

Executes dropped EXE 2 IoCs

pid	Process
2796	locdevbod.exe
2540	xbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2872	93ebb4a9a9739d38184681e4068b8d70_NEIKI.exe
2872	93ebb4a9a9739d38184681e4068b8d70_NEIKI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesL1\\xbodsys.exe"	93ebb4a9a9739d38184681e4068b8d70_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ5Z\\bodaec.exe"	93ebb4a9a9739d38184681e4068b8d70_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2872	93ebb4a9a9739d38184681e4068b8d70_NEIKI.exe
2872	93ebb4a9a9739d38184681e4068b8d70_NEIKI.exe
2796	locdevbod.exe
2540	xbodsys.exe
2796	locdevbod.exe
2540	xbodsys.exe
2796	locdevbod.exe
2540	xbodsys.exe
2796	locdevbod.exe
2540	xbodsys.exe
2796	locdevbod.exe
2540	xbodsys.exe
2796	locdevbod.exe
2540	xbodsys.exe
2796	locdevbod.exe
2540	xbodsys.exe
2796	locdevbod.exe
2540	xbodsys.exe
2796	locdevbod.exe
2540	xbodsys.exe
2796	locdevbod.exe
2540	xbodsys.exe
2796	locdevbod.exe
2540	xbodsys.exe
2796	locdevbod.exe
2540	xbodsys.exe
2796	locdevbod.exe
2540	xbodsys.exe
2796	locdevbod.exe
2540	xbodsys.exe
2796	locdevbod.exe
2540	xbodsys.exe
2796	locdevbod.exe
2540	xbodsys.exe
2796	locdevbod.exe
2540	xbodsys.exe
2796	locdevbod.exe
2540	xbodsys.exe
2796	locdevbod.exe
2540	xbodsys.exe
2796	locdevbod.exe
2540	xbodsys.exe
2796	locdevbod.exe
2540	xbodsys.exe
2796	locdevbod.exe
2540	xbodsys.exe
2796	locdevbod.exe
2540	xbodsys.exe
2796	locdevbod.exe
2540	xbodsys.exe
2796	locdevbod.exe
2540	xbodsys.exe
2796	locdevbod.exe
2540	xbodsys.exe
2796	locdevbod.exe
2540	xbodsys.exe
2796	locdevbod.exe
2540	xbodsys.exe
2796	locdevbod.exe
2540	xbodsys.exe
2796	locdevbod.exe
2540	xbodsys.exe
2796	locdevbod.exe
2540	xbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2796	2872	93ebb4a9a9739d38184681e4068b8d70_NEIKI.exe	28
PID 2872 wrote to memory of 2796	2872	93ebb4a9a9739d38184681e4068b8d70_NEIKI.exe	28
PID 2872 wrote to memory of 2796	2872	93ebb4a9a9739d38184681e4068b8d70_NEIKI.exe	28
PID 2872 wrote to memory of 2796	2872	93ebb4a9a9739d38184681e4068b8d70_NEIKI.exe	28
PID 2872 wrote to memory of 2540	2872	93ebb4a9a9739d38184681e4068b8d70_NEIKI.exe	29
PID 2872 wrote to memory of 2540	2872	93ebb4a9a9739d38184681e4068b8d70_NEIKI.exe	29
PID 2872 wrote to memory of 2540	2872	93ebb4a9a9739d38184681e4068b8d70_NEIKI.exe	29
PID 2872 wrote to memory of 2540	2872	93ebb4a9a9739d38184681e4068b8d70_NEIKI.exe	29

C:\Users\Admin\AppData\Local\Temp\93ebb4a9a9739d38184681e4068b8d70_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\93ebb4a9a9739d38184681e4068b8d70_NEIKI.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2796
- C:\FilesL1\xbodsys.exe
  C:\FilesL1\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesL1\xbodsys.exe

Filesize
4.1MB

MD5
60647d5f8b7fb202610af283d8344d0c

SHA1
e14858127c869f8a3a7db19c3b72af8f23fd1e49

SHA256
9a422f5341612093e8908b5ccd938c2d03b7b29817edd3cd30b9b5ea370eaaec

SHA512
c501cbecb1b6a5d1782047257503d15d666c1b9f8037a7f08dd3fe1b3ef6028b787fc4fb23d408fe95aba8f7e8d5566103730d69047a6834e79040757c025285

Download Submit
C:\LabZ5Z\bodaec.exe

Filesize
1.8MB

MD5
5f56cd14a7959bb3ef7c4ba2068597b0

SHA1
940f6e5f63b389a331d1c601710fbc8630743852

SHA256
afa755b16d2c49b41651d22a1aac301992bcb690b0c6fde777fb7ff7d5e5b580

SHA512
1c82509c99fb08cccf54fbd17787a7e3ff49b848af0d052cabeb64ea6ba3d22aaad3cac701200773fb6e2965622926b70a6ddb6e07f7bf34c2d04b6b905d1fdb

Download Submit
C:\LabZ5Z\bodaec.exe

Filesize
4.1MB

MD5
ca4a6281daa1359502689f08fddaac0e

SHA1
c3e397e45e477a76052c3adc48ccf1a830ec0366

SHA256
441871d0944cb294e3f1f6de3d9384e1570e174c6d3599553850f58ab1b098cf

SHA512
273316b670aef7cf56d5efe60dcf2c303969f67a1396f751cdbb956961a634c6eb884742dc2cb1f7621be2e56ac528d5cdeaaa728390b37503336552ad4f85e7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
faf607a770cacf324f7c1e9a959a53f8

SHA1
e8d147443b7652731f6cc29fcc82ac5417871a82

SHA256
9c35204ee72ee7e141ab5345f417654544adde6f032a46864a4fab90036d7b64

SHA512
d61decd419cb6f429056d159038bbcbb4fe1fac3047004df4d4f5b70018a98d129c7b75a08ff1b6c153bb66ddda19db3c34ff594594129725cb0fda4481b1952

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
5c4e7bfe47b9090c8de28294f059affd

SHA1
99971b11c3d6404a31df4f5e2e15907694b266f5

SHA256
699ad096bede43e290848447b5774321bd80e91479891d8eb1c8248741a6fd96

SHA512
0b88365978424981e8f0f61c65d23ecaa9dea49b81c234cb4182c1cfc33f18017f88544f7eb4853d92e77644a4ae825371d6e1cfa837bdd32e325821951d199b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

Filesize
4.1MB

MD5
6de40dca37f723e8ae1633437ad0154b

SHA1
4e01605219aab616f64353f0b34e4d99922de3db

SHA256
61daf6eb2c0d8d07014260472ecfe90e5982a234412ce2b0b5a0e6371c05f410

SHA512
797172dd60755b1c0ba865ddfda8a48d0fe148bf23a88f15f9aeb9bf8663e9569e0ac4e36ec7b18bea5d7f68c355a02f42de775a690428f9b390797c7c2f5ccd

Download Submit