d2d54c7a601e12a485b2bef30178504df8cf0c1ecacab31c9a486beda20cbdab

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-05-2024 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e658ebc1fbf4d03882778199ffc6cb0_NEIKI.exe
Size

2.6MB
MD5

9e658ebc1fbf4d03882778199ffc6cb0
SHA1

0684311b9ff7bd9b361b203f955cfd07565af411
SHA256

d2d54c7a601e12a485b2bef30178504df8cf0c1ecacab31c9a486beda20cbdab
SHA512

c549cd0b0fc972cb90724d0539bb8bca23bf4875770618b15d7cae713f2e219284a9226429fcbf10196e122d4ace91a6f947008631d6a61d4ec822959431c25c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBwB/bS:sxX7QnxrloE5dpUpXb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	9e658ebc1fbf4d03882778199ffc6cb0_NEIKI.exe

Executes dropped EXE 2 IoCs

pid	Process
1880	locxopti.exe
2668	xbodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2188	9e658ebc1fbf4d03882778199ffc6cb0_NEIKI.exe
2188	9e658ebc1fbf4d03882778199ffc6cb0_NEIKI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocER\\xbodec.exe"	9e658ebc1fbf4d03882778199ffc6cb0_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintZ2\\bodasys.exe"	9e658ebc1fbf4d03882778199ffc6cb0_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2188	9e658ebc1fbf4d03882778199ffc6cb0_NEIKI.exe
2188	9e658ebc1fbf4d03882778199ffc6cb0_NEIKI.exe
1880	locxopti.exe
2668	xbodec.exe
1880	locxopti.exe
2668	xbodec.exe
1880	locxopti.exe
2668	xbodec.exe
1880	locxopti.exe
2668	xbodec.exe
1880	locxopti.exe
2668	xbodec.exe
1880	locxopti.exe
2668	xbodec.exe
1880	locxopti.exe
2668	xbodec.exe
1880	locxopti.exe
2668	xbodec.exe
1880	locxopti.exe
2668	xbodec.exe
1880	locxopti.exe
2668	xbodec.exe
1880	locxopti.exe
2668	xbodec.exe
1880	locxopti.exe
2668	xbodec.exe
1880	locxopti.exe
2668	xbodec.exe
1880	locxopti.exe
2668	xbodec.exe
1880	locxopti.exe
2668	xbodec.exe
1880	locxopti.exe
2668	xbodec.exe
1880	locxopti.exe
2668	xbodec.exe
1880	locxopti.exe
2668	xbodec.exe
1880	locxopti.exe
2668	xbodec.exe
1880	locxopti.exe
2668	xbodec.exe
1880	locxopti.exe
2668	xbodec.exe
1880	locxopti.exe
2668	xbodec.exe
1880	locxopti.exe
2668	xbodec.exe
1880	locxopti.exe
2668	xbodec.exe
1880	locxopti.exe
2668	xbodec.exe
1880	locxopti.exe
2668	xbodec.exe
1880	locxopti.exe
2668	xbodec.exe
1880	locxopti.exe
2668	xbodec.exe
1880	locxopti.exe
2668	xbodec.exe
1880	locxopti.exe
2668	xbodec.exe
1880	locxopti.exe
2668	xbodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 1880	2188	9e658ebc1fbf4d03882778199ffc6cb0_NEIKI.exe	28
PID 2188 wrote to memory of 1880	2188	9e658ebc1fbf4d03882778199ffc6cb0_NEIKI.exe	28
PID 2188 wrote to memory of 1880	2188	9e658ebc1fbf4d03882778199ffc6cb0_NEIKI.exe	28
PID 2188 wrote to memory of 1880	2188	9e658ebc1fbf4d03882778199ffc6cb0_NEIKI.exe	28
PID 2188 wrote to memory of 2668	2188	9e658ebc1fbf4d03882778199ffc6cb0_NEIKI.exe	29
PID 2188 wrote to memory of 2668	2188	9e658ebc1fbf4d03882778199ffc6cb0_NEIKI.exe	29
PID 2188 wrote to memory of 2668	2188	9e658ebc1fbf4d03882778199ffc6cb0_NEIKI.exe	29
PID 2188 wrote to memory of 2668	2188	9e658ebc1fbf4d03882778199ffc6cb0_NEIKI.exe	29

C:\Users\Admin\AppData\Local\Temp\9e658ebc1fbf4d03882778199ffc6cb0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\9e658ebc1fbf4d03882778199ffc6cb0_NEIKI.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1880
- C:\IntelprocER\xbodec.exe
  C:\IntelprocER\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocER\xbodec.exe

Filesize
2.6MB

MD5
4541c9d0bef3948c881333806b2f8216

SHA1
a6659ac00e1f582f9dcd63087c7ce17ff7950200

SHA256
923dc373bfc9dec4f15f373510a786e1fe33b2f8e3228431f0511580d4cc0db4

SHA512
670893dec11dae05ef7f282ca19a9ea30dca31c81cc902325910904f56fd44c3c4fdef87e22d2dc8a3706c0a5a9280993cb45eac5180ce17b2c4f07e5215d39f

Download Submit
C:\MintZ2\bodasys.exe

Filesize
2.6MB

MD5
17dd8a3e28ccd4473d4c4ff4236f3138

SHA1
098068fc884c740e7dd47670735e8dcf3e41b611

SHA256
6872d9bd4645cbde4acfb802fcf50ece10cf49ef84c838b51091e76dbf1fc6f6

SHA512
79265a90e25625e0edca241a7b0f23f5b82067a194bf8c9a4abe01be58c05d46d55e36d98695e5d86dde1cd882d38aa4a4ef794d8c3e5dcc56fbce785a1b6b2c

Download Submit
C:\MintZ2\bodasys.exe

Filesize
2.6MB

MD5
712aea9d36cd5b7c9ab5ca85e97470e2

SHA1
01012150895b07c1c3bd0f1f0b647e52f0448bb2

SHA256
859c28cf6b79bcdc136479db87c919b3242d0826ae9894ce2533c893f5a296e0

SHA512
cfdc8a20610b12aca3c7667b27d12465d42edc4dd81fc716aacf65a3258b7e35d74960563e07191b3e6e5d482978246ed007c958a031be6d5cca884385d8c95b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
415db45158fda1f00db79b954768337e

SHA1
d40aae8b93c8076a41a7711ace82eec5f7a92651

SHA256
01bef466bafe0d30442e27c15cbfa0b05752ab907815352491bea3862fe09b7c

SHA512
d6ef4ce24bc8789a8d3f9cf30120dcd6f88e20cfb920764cd9f3d8245ccf4a95605570f5f43a75b1d3a62af70e233a27a6822d2c8799b2d7ae115bb1f7c22d66

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
17cd6124e14046a5b76205732587fd1a

SHA1
874220246f46ffb0f3af85cc4136bf653e1baf45

SHA256
ac8b6683f60c88c0f1db4bbbe6017c291bc1f032b83cc947d680a64ebe08fbd0

SHA512
b9be84461552a13f33eca9375d6f7f5a93ccd463ae177fd487753774c276175f4e738dd3fcb2d7f5f349d2f0aa1273e6e2abf1d4bc754e6234064a42172b5109

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
2.6MB

MD5
efe9b5a6f01418496838d2f5017a0a10

SHA1
4e19c551c8cf47371210132f32e2d7c16285156c

SHA256
782e7f3e3f3a294efbbd0fdfc043b1b060c3fae059f19dcc90bc8e8a9a93f6b3

SHA512
c581d87af711abd65566278673e6becb305b0d99aa39423ac2947c8ab37b8c66c4a8543c6c107e41b440ee57905d4f101865419a2efcea3aca0f421e159a0e99

Download Submit