4a59f50b1592184d5fc8e784d4b2ebd4eba2b844fea2fe22afda0e38ab25ec5a

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/05/2024, 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe
Size

4.0MB
MD5

aa1d7a0d620e26a5b372204f518530b0
SHA1

d752e0afdfea8c8a71bc012e031c964004251be6
SHA256

4a59f50b1592184d5fc8e784d4b2ebd4eba2b844fea2fe22afda0e38ab25ec5a
SHA512

3e67c55f9c6cf3c28da281097c099a076b14d3a876d47b74a84bcef84d0ae104fa6924890f838b37f70920c605d16c8b1e2c4b4eed37315f03672e29e4ad9d88
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBkB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpjbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe

Executes dropped EXE 2 IoCs

pid	Process
2896	sysdevdob.exe
2620	abodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2164	aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe
2164	aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvVA\\abodsys.exe"	aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxTG\\dobxsys.exe"	aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2164	aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe
2164	aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe
2896	sysdevdob.exe
2620	abodsys.exe
2896	sysdevdob.exe
2620	abodsys.exe
2896	sysdevdob.exe
2620	abodsys.exe
2896	sysdevdob.exe
2620	abodsys.exe
2896	sysdevdob.exe
2620	abodsys.exe
2896	sysdevdob.exe
2620	abodsys.exe
2896	sysdevdob.exe
2620	abodsys.exe
2896	sysdevdob.exe
2620	abodsys.exe
2896	sysdevdob.exe
2620	abodsys.exe
2896	sysdevdob.exe
2620	abodsys.exe
2896	sysdevdob.exe
2620	abodsys.exe
2896	sysdevdob.exe
2620	abodsys.exe
2896	sysdevdob.exe
2620	abodsys.exe
2896	sysdevdob.exe
2620	abodsys.exe
2896	sysdevdob.exe
2620	abodsys.exe
2896	sysdevdob.exe
2620	abodsys.exe
2896	sysdevdob.exe
2620	abodsys.exe
2896	sysdevdob.exe
2620	abodsys.exe
2896	sysdevdob.exe
2620	abodsys.exe
2896	sysdevdob.exe
2620	abodsys.exe
2896	sysdevdob.exe
2620	abodsys.exe
2896	sysdevdob.exe
2620	abodsys.exe
2896	sysdevdob.exe
2620	abodsys.exe
2896	sysdevdob.exe
2620	abodsys.exe
2896	sysdevdob.exe
2620	abodsys.exe
2896	sysdevdob.exe
2620	abodsys.exe
2896	sysdevdob.exe
2620	abodsys.exe
2896	sysdevdob.exe
2620	abodsys.exe
2896	sysdevdob.exe
2620	abodsys.exe
2896	sysdevdob.exe
2620	abodsys.exe
2896	sysdevdob.exe
2620	abodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2896	2164	aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe	28
PID 2164 wrote to memory of 2896	2164	aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe	28
PID 2164 wrote to memory of 2896	2164	aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe	28
PID 2164 wrote to memory of 2896	2164	aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe	28
PID 2164 wrote to memory of 2620	2164	aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe	29
PID 2164 wrote to memory of 2620	2164	aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe	29
PID 2164 wrote to memory of 2620	2164	aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe	29
PID 2164 wrote to memory of 2620	2164	aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe	29

C:\Users\Admin\AppData\Local\Temp\aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2896
- C:\SysDrvVA\abodsys.exe
  C:\SysDrvVA\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxTG\dobxsys.exe

Filesize
678KB

MD5
abbb940985738f510e96bf61f7c818e2

SHA1
c35a107bbeeac5d253ecddd81fb660c6babccda1

SHA256
d009e7405498a2865f16a0fec7e97c60df0eced3e963d7948ec6182f76cbda0b

SHA512
4dece998bfa8e2cadff605791be07e2563038c2b2452e807ca9a358b9bb502f0eacd963e6cbbe1162266ed62d63520fb368bd96f694083dec398a10912726de2

Download Submit
C:\GalaxTG\dobxsys.exe

Filesize
2.0MB

MD5
d582a29fe099871be4bc509ea2489d6b

SHA1
96667613cf13351d2ca249e6eba3fadeec5640c9

SHA256
206bb9b4a0c4de4cb5ae4393d3b03ab7a3098735e3a49cf85b8207208f9779d8

SHA512
7da861d64f512db1fa50758c275a73691c333df1102f2dc12de0cc62112a6f155a486654f49b57eb52582b816b33fe61ed33b74f2881ac197b85f0664db62317

Download Submit
C:\SysDrvVA\abodsys.exe

Filesize
4.0MB

MD5
7a05438749a7ea204d3e818d5a574b8b

SHA1
831722568895a7637833dda8f9544ac4c3cf3a1f

SHA256
b6de8049a25ae9c6a09d972febc2658ab6ec58939462444a928dd1bb8cd5b402

SHA512
412b5c2f97236a32a164020fad29308ece5354a4a515ef4a303a694a32d1d6e16af5a44faba2d0768c8cb32701c33c74e38c8bd6893fd7452573c52bdb3f61f7

Download Submit
C:\SysDrvVA\abodsys.exe

Filesize
1.9MB

MD5
c29ca554b2d51bc91a74bba218cadf6b

SHA1
e54997d90f515d594c3ace31712ab3912d6f886a

SHA256
09c4c6926a63910b01f9272e813dd0c7f9a8643d777913d519aed25c24d7f5ab

SHA512
02ecf26a7b46843e90ee3041df614bc4b44477d763133efce0eef13095aa9a42f3094e933f5d24d0de1d3da4f468a7006e95d20701a3c9ba09f53b3959a17c96

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
850ad83f3dfb6ece4e9478a6f2f0a5c9

SHA1
b7dc33aeb979ddd549ce1d8405cd2d865d67f7dd

SHA256
3986fe484c2882744855fa0bcc61ce91a4366a1e69de564534c0e6f796354f14

SHA512
82cb68bfb7ce33a104a0d19f3a00e53c1cff989a9da0e8bd26d18dd03c1cc9a2c3cf46ebbfb18a4164182938e0327f02395f8b32e3db23885a8f00929d110ac9

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
2c7d52e7801a84dbc1084d6890cd996d

SHA1
3a7b4911c8a31ecb0bdd68bbdf8961c42d21a183

SHA256
d2f2a6effa325b2ae0374307e44953eb87eb9cbd47facd704029b37fa4b2484c

SHA512
3d12496fc712e5fefd76abad7528cef2b5ddcaf62c80f5db3d298ea9f6106dcc9c2bb51fc545f5b3c769e7ffb32a572b1878246ceacc05d3d456378963fa887f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
2.0MB

MD5
2456e825ceeedb20f71206165d49e947

SHA1
890f9632fef2a6bf43a9dfd735746c09de658961

SHA256
bed445e013cfb98c10918a7d597b299d1361eedd9c130606df15e64bf7cc7606

SHA512
970e403d499e2e6ce89292e5e79ed790e0a90bd1db7ff84e7bb8662441954b77395552a9eff23069355d32fb3163ba55b4761c48c45bc8f4ad37465dad63e20e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
1.8MB

MD5
5f56cd14a7959bb3ef7c4ba2068597b0

SHA1
940f6e5f63b389a331d1c601710fbc8630743852

SHA256
afa755b16d2c49b41651d22a1aac301992bcb690b0c6fde777fb7ff7d5e5b580

SHA512
1c82509c99fb08cccf54fbd17787a7e3ff49b848af0d052cabeb64ea6ba3d22aaad3cac701200773fb6e2965622926b70a6ddb6e07f7bf34c2d04b6b905d1fdb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
2.8MB

MD5
c372c2a01da5de2bb81f977372a47ec4

SHA1
64005712733f6001f03b721b6373e76b0617f52e

SHA256
086716ffb4695f6347eb4014c2d25161ac90afde54a4d152a8ef988b8309d4ec

SHA512
65d3df62f23877c9771371481a7ea1c95d4a846aa5c57025eacd2ea26e23364982377d268b701f1a24f719a5f2d4e27b24cebc77c1e916dc60bd8349fe9996be

Download Submit
\SysDrvVA\abodsys.exe

Filesize
1.9MB

MD5
1915fdd937da72ae64b0e4efabb29568

SHA1
e306db7d90fae6039909a04ae7e257fd803536a7

SHA256
fbcd6d33e24252269fd806045921bf489428be0ba8d67c853a2104e25ec156c9

SHA512
fe533c42e713f5f3e443a1b480d83c005acc09bf41b0eeb26bbb5ec1a1766acff272f58264d99d53c4a5a76f4309158c70f1859de80f94d71174b956dceee86c

Download Submit