4a59f50b1592184d5fc8e784d4b2ebd4eba2b844fea2fe22afda0e38ab25ec5a

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe
Size

4.0MB
MD5

aa1d7a0d620e26a5b372204f518530b0
SHA1

d752e0afdfea8c8a71bc012e031c964004251be6
SHA256

4a59f50b1592184d5fc8e784d4b2ebd4eba2b844fea2fe22afda0e38ab25ec5a
SHA512

3e67c55f9c6cf3c28da281097c099a076b14d3a876d47b74a84bcef84d0ae104fa6924890f838b37f70920c605d16c8b1e2c4b4eed37315f03672e29e4ad9d88
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBkB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpjbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe

Executes dropped EXE 2 IoCs

pid	Process
1852	locxdob.exe
4408	abodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeOZ\\abodec.exe"	aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid10\\dobxsys.exe"	aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2020	aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe
2020	aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe
2020	aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe
2020	aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe
1852	locxdob.exe
1852	locxdob.exe
4408	abodec.exe
4408	abodec.exe
1852	locxdob.exe
1852	locxdob.exe
4408	abodec.exe
4408	abodec.exe
1852	locxdob.exe
1852	locxdob.exe
4408	abodec.exe
4408	abodec.exe
1852	locxdob.exe
1852	locxdob.exe
4408	abodec.exe
4408	abodec.exe
1852	locxdob.exe
1852	locxdob.exe
4408	abodec.exe
4408	abodec.exe
1852	locxdob.exe
1852	locxdob.exe
4408	abodec.exe
4408	abodec.exe
1852	locxdob.exe
1852	locxdob.exe
4408	abodec.exe
4408	abodec.exe
1852	locxdob.exe
1852	locxdob.exe
4408	abodec.exe
4408	abodec.exe
1852	locxdob.exe
1852	locxdob.exe
4408	abodec.exe
4408	abodec.exe
1852	locxdob.exe
1852	locxdob.exe
4408	abodec.exe
4408	abodec.exe
1852	locxdob.exe
1852	locxdob.exe
4408	abodec.exe
4408	abodec.exe
1852	locxdob.exe
1852	locxdob.exe
4408	abodec.exe
4408	abodec.exe
1852	locxdob.exe
1852	locxdob.exe
4408	abodec.exe
4408	abodec.exe
1852	locxdob.exe
1852	locxdob.exe
4408	abodec.exe
4408	abodec.exe
1852	locxdob.exe
1852	locxdob.exe
4408	abodec.exe
4408	abodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1852	2020	aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe	89
PID 2020 wrote to memory of 1852	2020	aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe	89
PID 2020 wrote to memory of 1852	2020	aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe	89
PID 2020 wrote to memory of 4408	2020	aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe	92
PID 2020 wrote to memory of 4408	2020	aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe	92
PID 2020 wrote to memory of 4408	2020	aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe	92

C:\Users\Admin\AppData\Local\Temp\aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1852
- C:\AdobeOZ\abodec.exe
  C:\AdobeOZ\abodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeOZ\abodec.exe

Filesize
4KB

MD5
ede40b36034d11420daf9b761d447622

SHA1
83e69cb72e12fd8ccd507bfa21133e1fca0fd5d7

SHA256
6e27085c9b049479ed4b5d515c82d49091d1d0d6a70cc1af4fe1e085816236d4

SHA512
0fc2330cfab1d7a2fa7e55f9cc177aa246de7f672540212721ca9232920652a2306906719e60af2bd37ca2fc9074d2244a5514fdc7f344e7c4006b4c69a75120

Download Submit
C:\AdobeOZ\abodec.exe

Filesize
2.1MB

MD5
e647c699a64ec64f67f457b0c20cd82d

SHA1
3f93f6a138e0895e8603716ac5613973f0d05bd9

SHA256
6372fc6fac0735e4481dcf138579ac75ca4a8c2788339f552bc0ae9194552072

SHA512
a735ac76944a983f409cb79be13b32c7c5e7baad930104eda7372f9ab06dd1ead1491c6ef1b104f5ed22b6beff7634ff73c65d9262fcc51b636202159a70faa3

Download Submit
C:\AdobeOZ\abodec.exe

Filesize
4.0MB

MD5
e2af933394d1a195ddc7739a8760d6d0

SHA1
bbf6d00ba1b0177e1e6bd58ca32d011fcb91c8b2

SHA256
f96dc7b0bf6f99a435e820ba7be8fa88afd51a74b51626c527f9693b6909aab6

SHA512
eb0e545b75ed30a466577349adc7867f0f838c1025cbca918badac0b287ad32e5fde97766dfaff7068a3cec2668e61a6b575c4138e910d5b7f46d4cc7e653138

Download Submit
C:\AdobeOZ\abodec.exe

Filesize
1.1MB

MD5
44c4402fba4058dd39f02f5dc489f14d

SHA1
7da934c158c9f0864b316b6f0a08b0b6f9357d4a

SHA256
b3b911bee93020886c40108f421187473cdf0a1a71ad9f55e3183e4544d7a783

SHA512
0f46d89591de28a62d6ef22626e865d0429ed0097fa0138891cb005e477711d85dbdf54720423dc07e742385140518acd3a722fea8ca0715b2a6b9380caa7fc0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
198B

MD5
372ebd1c419bdebb052946d619d8a852

SHA1
4973959b22651951e3e016e527aa498481dbe9c7

SHA256
90c50a69a424bfaf459ae9a80ef8c885f6104aa71bc8ea6774caaa32c4c15b5f

SHA512
92cf5875ce973d5824924d48dc0467c1956e9db785b8208c3e8e9cc6ad0a42e3d26e0a3a6367e426c1919fd27203b81dc2259baad4d3c0a596df6746ec048c29

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
166B

MD5
9b3674c988b2b5de0ca93c3dc50da090

SHA1
c215e7d1bb4327a3688243e39a05a4be3c0853da

SHA256
3f684e9642cb66bb908710ba89d97184506b4db12dcef6f582eff91bb8328e87

SHA512
ffda740ec0b35b18cff741baf28d321a94a806c21cd2cb2ffa3f94ba0ea6e451290fe47a3c5799387329f1b8293b9732f07a5b157cc9d4ca3e7a4ea65f9823b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
2.0MB

MD5
2456e825ceeedb20f71206165d49e947

SHA1
890f9632fef2a6bf43a9dfd735746c09de658961

SHA256
bed445e013cfb98c10918a7d597b299d1361eedd9c130606df15e64bf7cc7606

SHA512
970e403d499e2e6ce89292e5e79ed790e0a90bd1db7ff84e7bb8662441954b77395552a9eff23069355d32fb3163ba55b4761c48c45bc8f4ad37465dad63e20e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
1.9MB

MD5
c29ca554b2d51bc91a74bba218cadf6b

SHA1
e54997d90f515d594c3ace31712ab3912d6f886a

SHA256
09c4c6926a63910b01f9272e813dd0c7f9a8643d777913d519aed25c24d7f5ab

SHA512
02ecf26a7b46843e90ee3041df614bc4b44477d763133efce0eef13095aa9a42f3094e933f5d24d0de1d3da4f468a7006e95d20701a3c9ba09f53b3959a17c96

Download Submit
C:\Vid10\dobxsys.exe

Filesize
2.2MB

MD5
fd6b4f33ea00a780cb7f513a5c19a7e9

SHA1
3bddd840b743332ecff71c1e3424a9cd4c046050

SHA256
873ad4400997602a828095159ad6e95d974996e587593c15a6ea2447b0b64e44

SHA512
d5463ff2fef091b647f11e825a0a5597ecfe066cce3cc8b7991ee4437b5c6b9b921c331002ceccbc9c515c3f12a0a3c5a8fc907f9430a71c5a89c7916b954946

Download Submit
C:\Vid10\dobxsys.exe

Filesize
4.0MB

MD5
0c939d2b0bdaf0c5d34b431255a0be86

SHA1
f9c4150b85f03fd7b5187bc5413f7b4e5107d06d

SHA256
210f1fc2242b4a082ab46ed7a932dcca17fcc71a7f08e39a2d51d64e3f8192db

SHA512
b2f161bfcf66681aa60ab20715071e417a793e92e87f2e1a17bfc4f756aadf64ae8433e5fde5d2d40727de987e38216c241757f9158aa4b78d8370625b4dfbe6

Download Submit