5bf7dfa476f878e494502e11b60216f8445bf9e87991869dec96becf0a1dee3e

Analysis

max time kernel
149s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93ebb4a9a9739d38184681e4068b8d70_NEIKI.exe
Size

4.1MB
MD5

93ebb4a9a9739d38184681e4068b8d70
SHA1

8509a1863994f8f181e38f4e18f062b0da39cb20
SHA256

5bf7dfa476f878e494502e11b60216f8445bf9e87991869dec96becf0a1dee3e
SHA512

5af841b59f96c324da8def1f53579d2d794e360ad242981456bde67f281f54d7237119b352be4fc6ab0fbf16acad50bd27eb0560ff10405d64026257015d4fdd
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpHbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	93ebb4a9a9739d38184681e4068b8d70_NEIKI.exe

Executes dropped EXE 2 IoCs

pid	Process
2976	locxbod.exe
2520	aoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesNB\\aoptiec.exe"	93ebb4a9a9739d38184681e4068b8d70_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax1A\\optidevloc.exe"	93ebb4a9a9739d38184681e4068b8d70_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1748	93ebb4a9a9739d38184681e4068b8d70_NEIKI.exe
1748	93ebb4a9a9739d38184681e4068b8d70_NEIKI.exe
1748	93ebb4a9a9739d38184681e4068b8d70_NEIKI.exe
1748	93ebb4a9a9739d38184681e4068b8d70_NEIKI.exe
2976	locxbod.exe
2976	locxbod.exe
2520	aoptiec.exe
2520	aoptiec.exe
2976	locxbod.exe
2976	locxbod.exe
2520	aoptiec.exe
2520	aoptiec.exe
2976	locxbod.exe
2976	locxbod.exe
2520	aoptiec.exe
2520	aoptiec.exe
2976	locxbod.exe
2976	locxbod.exe
2520	aoptiec.exe
2520	aoptiec.exe
2976	locxbod.exe
2976	locxbod.exe
2520	aoptiec.exe
2520	aoptiec.exe
2976	locxbod.exe
2976	locxbod.exe
2520	aoptiec.exe
2520	aoptiec.exe
2976	locxbod.exe
2976	locxbod.exe
2520	aoptiec.exe
2520	aoptiec.exe
2976	locxbod.exe
2976	locxbod.exe
2520	aoptiec.exe
2520	aoptiec.exe
2976	locxbod.exe
2976	locxbod.exe
2520	aoptiec.exe
2520	aoptiec.exe
2976	locxbod.exe
2976	locxbod.exe
2520	aoptiec.exe
2520	aoptiec.exe
2976	locxbod.exe
2976	locxbod.exe
2520	aoptiec.exe
2520	aoptiec.exe
2976	locxbod.exe
2976	locxbod.exe
2520	aoptiec.exe
2520	aoptiec.exe
2976	locxbod.exe
2976	locxbod.exe
2520	aoptiec.exe
2520	aoptiec.exe
2976	locxbod.exe
2976	locxbod.exe
2520	aoptiec.exe
2520	aoptiec.exe
2976	locxbod.exe
2976	locxbod.exe
2520	aoptiec.exe
2520	aoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 2976	1748	93ebb4a9a9739d38184681e4068b8d70_NEIKI.exe	92
PID 1748 wrote to memory of 2976	1748	93ebb4a9a9739d38184681e4068b8d70_NEIKI.exe	92
PID 1748 wrote to memory of 2976	1748	93ebb4a9a9739d38184681e4068b8d70_NEIKI.exe	92
PID 1748 wrote to memory of 2520	1748	93ebb4a9a9739d38184681e4068b8d70_NEIKI.exe	94
PID 1748 wrote to memory of 2520	1748	93ebb4a9a9739d38184681e4068b8d70_NEIKI.exe	94
PID 1748 wrote to memory of 2520	1748	93ebb4a9a9739d38184681e4068b8d70_NEIKI.exe	94

C:\Users\Admin\AppData\Local\Temp\93ebb4a9a9739d38184681e4068b8d70_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\93ebb4a9a9739d38184681e4068b8d70_NEIKI.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2976
- C:\FilesNB\aoptiec.exe
  C:\FilesNB\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesNB\aoptiec.exe

Filesize
4.1MB

MD5
e61f001cbbbcde47d5e76fa07db2400d

SHA1
b81d52813e96c4c8e439ce9cac1f88d49e2fb6c6

SHA256
2d250aca3b3069e57bed03c2247bff3006e8954525ad373b79e061d5a6da9934

SHA512
a9b680a497316423fc43fd33b7277baa4cdbf38dfb8226cebcd25b0453ba64ec89efb70d3887537f45cb72f2635f454b5a2bf07249ed155eb0c8026af1cedeb9

Download Submit
C:\Galax1A\optidevloc.exe

Filesize
4.1MB

MD5
48da6c0eb8b53d76b4a87cae1f586427

SHA1
c31d728558dfb42d20accf69df22b97882fcc0d3

SHA256
212643d4bd9df6691e97683b82aa6c3bb79306d6b45ae24c9f54600e7e6d53e1

SHA512
32132c5c121d83374476e7dee12c5d3ebf96d642dd9ae2cd7ee49c187a53dd908a399b2e0bc1c951ab650d2f06f5db0102f580b786bfdbdda8bae78f14deb5c6

Download Submit
C:\Galax1A\optidevloc.exe

Filesize
700KB

MD5
dec93001fb23815f43c884c722fd3f5c

SHA1
7818ee96b8cee34f924213d7347f63959c36e983

SHA256
ecb3043c3382625da0f95e9a5398c9f9d30f07a3831caee5c050e0ab994779e7

SHA512
27684e9a6b160ccc8e41cf144f55d0e1b3c93a532ec2f4a21623e9ed60d32b7305aa306e354d208966409d6b3d62ba6474726ffa03d6951757ff9eb24e5c9f7c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
3eb84190eeee98e7e750b44f17ffef73

SHA1
7ec3186cd88e8b9caef49a36c1c60c444b8f5ec1

SHA256
d98367faf68168d651464b9e6ed28e8a641bd6eae3d5b1e5cd2010f131fc60e3

SHA512
ef256f2e2fa4cf4c3c9d485c857221bf8fe711a4090bd55cb4e3a0ceb3bbb1bd9c2b2f96dca515e70f20e92808c0449d32ab7b04ad7e3235feb8355526496ff6

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
00809cad69770e4fd7534d673aef6937

SHA1
e268e55be152657f77baf3084f7346af79f74952

SHA256
e6bd2c2db4467c0089553f4d830a6decbc3f217b68723698d69c4f812c4fb47e

SHA512
bdfb7319a2e274f4053532d499486b10a604a61980fbf5757125d17d324ca5ea9fc3e4e50e32db43373fb55530352e2e896710edb03bada8de83bd7d0b4e3155

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
4.1MB

MD5
9fbdb3e67e25f78efcc32dad9182cfd8

SHA1
421614f01b717c5abb0dd51880ae022c2563104f

SHA256
5440eb4c652fb891a82655303433c0cafa7d8ecbea6e430ffb79bfa5f0b5cdd8

SHA512
0d9b1dd35de6e84c8650627008e8cb52a760af1898c3b1521662ae8b0a9907155a413683b9b751b3d0daa8d6071d04627d2d7cf30750aca094590bcdb52ccb93

Download Submit