4c812480391b091fe2dac9a93581e3d7eb53112368b9c5c28fa3dbbf99edbe6c

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 02:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ac688ea53041d30d07d4c089370dd160_NEIKI.exe
Size

3.1MB
MD5

ac688ea53041d30d07d4c089370dd160
SHA1

793d832f95454e7a71b57f0817f7253eb739d9e6
SHA256

4c812480391b091fe2dac9a93581e3d7eb53112368b9c5c28fa3dbbf99edbe6c
SHA512

56b9a7afbc20d45ffa4198ecd138564edbcdbb5a5df021a32afb9b228e6ebd23fa0b625b8a760a0f541fa7ecc4f9a1c9e5e4b4216bda712f2954c9e3a59f2b66
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBpB/bSqz8:sxX7QnxrloE5dpUpSbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	ac688ea53041d30d07d4c089370dd160_NEIKI.exe

Executes dropped EXE 2 IoCs

pid	Process
804	sysxbod.exe
4052	xdobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot78\\xdobloc.exe"	ac688ea53041d30d07d4c089370dd160_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid02\\bodaloc.exe"	ac688ea53041d30d07d4c089370dd160_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4420	ac688ea53041d30d07d4c089370dd160_NEIKI.exe
4420	ac688ea53041d30d07d4c089370dd160_NEIKI.exe
4420	ac688ea53041d30d07d4c089370dd160_NEIKI.exe
4420	ac688ea53041d30d07d4c089370dd160_NEIKI.exe
804	sysxbod.exe
804	sysxbod.exe
4052	xdobloc.exe
4052	xdobloc.exe
804	sysxbod.exe
804	sysxbod.exe
4052	xdobloc.exe
4052	xdobloc.exe
804	sysxbod.exe
804	sysxbod.exe
4052	xdobloc.exe
4052	xdobloc.exe
804	sysxbod.exe
804	sysxbod.exe
4052	xdobloc.exe
4052	xdobloc.exe
804	sysxbod.exe
804	sysxbod.exe
4052	xdobloc.exe
4052	xdobloc.exe
804	sysxbod.exe
804	sysxbod.exe
4052	xdobloc.exe
4052	xdobloc.exe
804	sysxbod.exe
804	sysxbod.exe
4052	xdobloc.exe
4052	xdobloc.exe
804	sysxbod.exe
804	sysxbod.exe
4052	xdobloc.exe
4052	xdobloc.exe
804	sysxbod.exe
804	sysxbod.exe
4052	xdobloc.exe
4052	xdobloc.exe
804	sysxbod.exe
804	sysxbod.exe
4052	xdobloc.exe
4052	xdobloc.exe
804	sysxbod.exe
804	sysxbod.exe
4052	xdobloc.exe
4052	xdobloc.exe
804	sysxbod.exe
804	sysxbod.exe
4052	xdobloc.exe
4052	xdobloc.exe
804	sysxbod.exe
804	sysxbod.exe
4052	xdobloc.exe
4052	xdobloc.exe
804	sysxbod.exe
804	sysxbod.exe
4052	xdobloc.exe
4052	xdobloc.exe
804	sysxbod.exe
804	sysxbod.exe
4052	xdobloc.exe
4052	xdobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 804	4420	ac688ea53041d30d07d4c089370dd160_NEIKI.exe	87
PID 4420 wrote to memory of 804	4420	ac688ea53041d30d07d4c089370dd160_NEIKI.exe	87
PID 4420 wrote to memory of 804	4420	ac688ea53041d30d07d4c089370dd160_NEIKI.exe	87
PID 4420 wrote to memory of 4052	4420	ac688ea53041d30d07d4c089370dd160_NEIKI.exe	88
PID 4420 wrote to memory of 4052	4420	ac688ea53041d30d07d4c089370dd160_NEIKI.exe	88
PID 4420 wrote to memory of 4052	4420	ac688ea53041d30d07d4c089370dd160_NEIKI.exe	88

C:\Users\Admin\AppData\Local\Temp\ac688ea53041d30d07d4c089370dd160_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\ac688ea53041d30d07d4c089370dd160_NEIKI.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:804
- C:\UserDot78\xdobloc.exe
  C:\UserDot78\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDot78\xdobloc.exe

Filesize
1.5MB

MD5
73d331cdac465532913bc75fa21abb51

SHA1
f662edc78f4c2cb6199f5bed25652630ed97076e

SHA256
21fca73589c410e8df08099170754f341ecef73d6c8f333365a969d93bcb1273

SHA512
b84f5bf821a1983c1f86a94e4e8ac8f0e17cedebbeb74599f0c91e701ca63dd5cc5b10211f0d1cb199ff9a8c6ff727010c0c9f08eb03b7402935dab7144c2512

Download Submit
C:\UserDot78\xdobloc.exe

Filesize
3.1MB

MD5
ce4fa35b893c75bf7813553eccc9b57f

SHA1
d3fb2f2280a8a22cd4d31465e27574087ebb8572

SHA256
8c085b6324c0267701d496fbbd8950d184502aac6d4a603209160b6af77b7c03

SHA512
6dcaf7994bbde9b49eb9283255f9429f39ed3da555da4bbefedfa48cd3135303cc896286f2445232ed2fa1f9897a0fdc436d1409ebcb1380e12b4d613303ca39

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
45f079706b436805e1a6508fbbd491b7

SHA1
15573674bf5f6caeb42b9410c30ce32892e1ec74

SHA256
c69a0ed123753669ee5fcaddfe1be807ade84c68f7035af5ec9b97428305449b

SHA512
27e946ef4be350181312f0d169e59bbb07c9ed0838988e988f181c137e5bab9c32851cd67c8215ff3735fb39a46d968be44e4185edcc4086b735318269053fc1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
6c9ec50ccfcaf3a28b90740ce10a3076

SHA1
ba391ef01733dbdc305517b8a0b559994fb022c1

SHA256
b02dc63d70ed8c49df222d972b2118d37cdf97d08d574609cb4bf1868a24f9ba

SHA512
b2d57cd91be0313932a4f4c3dbd435317c48c762c2d64b40821247d5cea8b149a983083c6805ae702dc33175e91ae8cfd150ab3160078b080259df68579a871f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
3.1MB

MD5
e4147cd38f0d4bde7ccee0ac110330ac

SHA1
241201b89eb57b50653062a523b6f920022d0ec0

SHA256
388318eff565a4585bfe7c7e98cd0ee78e691c582992ad40f9354ed08a091c80

SHA512
2b561aef15477d2afe97e2c39d3baf1674eaed5c4b1b6785539d1a424a46a7d7331782368d0f4bfc1d9d446dc96165e6355cd12acff3ce1233265c4fae157481

Download Submit
C:\Vid02\bodaloc.exe

Filesize
3.1MB

MD5
317ecf39b1c8f35fd2a6d9c8598fdce9

SHA1
5b43f0ad2e8cf829d5f6e8f802fce751486c6735

SHA256
c62d9587cbf8c5315bfad7af0af84c053cf4a34ec4bebf4bcfbd23d5661cf0dc

SHA512
fce3d20bf8689c8dd06149abb2ff68c994c45ced8919f7e8d726ec437343f18fd050d28ecefa073a1540f02b09a89193a2abbb2bc1be4177232a209d17228118

Download Submit
C:\Vid02\bodaloc.exe

Filesize
4KB

MD5
b61f1c7ad73efe910c92dd7a7c9a7a0e

SHA1
da9ddf3e1877afc7efd9c8d203fc7f7be3458ddd

SHA256
b362504c75e4817110ee35bd9d522710e988aa3feb5cfb08054cbe0cfa6e45f0

SHA512
224073e4b1011e45541352166fffbcb47dc06282baa16dc5279ee78e858f642e1495bf79dc1ee547b1db3adc2c1a1fbb08ea75a50ef49d2a238000e931ebc155

Download Submit