d2d54c7a601e12a485b2bef30178504df8cf0c1ecacab31c9a486beda20cbdab

Analysis

max time kernel
149s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e658ebc1fbf4d03882778199ffc6cb0_NEIKI.exe
Size

2.6MB
MD5

9e658ebc1fbf4d03882778199ffc6cb0
SHA1

0684311b9ff7bd9b361b203f955cfd07565af411
SHA256

d2d54c7a601e12a485b2bef30178504df8cf0c1ecacab31c9a486beda20cbdab
SHA512

c549cd0b0fc972cb90724d0539bb8bca23bf4875770618b15d7cae713f2e219284a9226429fcbf10196e122d4ace91a6f947008631d6a61d4ec822959431c25c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBwB/bS:sxX7QnxrloE5dpUpXb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	9e658ebc1fbf4d03882778199ffc6cb0_NEIKI.exe

Executes dropped EXE 2 IoCs

pid	Process
4792	ecdevopti.exe
4692	devdobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxQB\\optixec.exe"	9e658ebc1fbf4d03882778199ffc6cb0_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesMU\\devdobec.exe"	9e658ebc1fbf4d03882778199ffc6cb0_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1028	9e658ebc1fbf4d03882778199ffc6cb0_NEIKI.exe
1028	9e658ebc1fbf4d03882778199ffc6cb0_NEIKI.exe
1028	9e658ebc1fbf4d03882778199ffc6cb0_NEIKI.exe
1028	9e658ebc1fbf4d03882778199ffc6cb0_NEIKI.exe
4792	ecdevopti.exe
4792	ecdevopti.exe
4692	devdobec.exe
4692	devdobec.exe
4792	ecdevopti.exe
4792	ecdevopti.exe
4692	devdobec.exe
4692	devdobec.exe
4792	ecdevopti.exe
4792	ecdevopti.exe
4692	devdobec.exe
4692	devdobec.exe
4792	ecdevopti.exe
4792	ecdevopti.exe
4692	devdobec.exe
4692	devdobec.exe
4792	ecdevopti.exe
4792	ecdevopti.exe
4692	devdobec.exe
4692	devdobec.exe
4792	ecdevopti.exe
4792	ecdevopti.exe
4692	devdobec.exe
4692	devdobec.exe
4792	ecdevopti.exe
4792	ecdevopti.exe
4692	devdobec.exe
4692	devdobec.exe
4792	ecdevopti.exe
4792	ecdevopti.exe
4692	devdobec.exe
4692	devdobec.exe
4792	ecdevopti.exe
4792	ecdevopti.exe
4692	devdobec.exe
4692	devdobec.exe
4792	ecdevopti.exe
4792	ecdevopti.exe
4692	devdobec.exe
4692	devdobec.exe
4792	ecdevopti.exe
4792	ecdevopti.exe
4692	devdobec.exe
4692	devdobec.exe
4792	ecdevopti.exe
4792	ecdevopti.exe
4692	devdobec.exe
4692	devdobec.exe
4792	ecdevopti.exe
4792	ecdevopti.exe
4692	devdobec.exe
4692	devdobec.exe
4792	ecdevopti.exe
4792	ecdevopti.exe
4692	devdobec.exe
4692	devdobec.exe
4792	ecdevopti.exe
4792	ecdevopti.exe
4692	devdobec.exe
4692	devdobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 4792	1028	9e658ebc1fbf4d03882778199ffc6cb0_NEIKI.exe	88
PID 1028 wrote to memory of 4792	1028	9e658ebc1fbf4d03882778199ffc6cb0_NEIKI.exe	88
PID 1028 wrote to memory of 4792	1028	9e658ebc1fbf4d03882778199ffc6cb0_NEIKI.exe	88
PID 1028 wrote to memory of 4692	1028	9e658ebc1fbf4d03882778199ffc6cb0_NEIKI.exe	89
PID 1028 wrote to memory of 4692	1028	9e658ebc1fbf4d03882778199ffc6cb0_NEIKI.exe	89
PID 1028 wrote to memory of 4692	1028	9e658ebc1fbf4d03882778199ffc6cb0_NEIKI.exe	89

C:\Users\Admin\AppData\Local\Temp\9e658ebc1fbf4d03882778199ffc6cb0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\9e658ebc1fbf4d03882778199ffc6cb0_NEIKI.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4792
- C:\FilesMU\devdobec.exe
  C:\FilesMU\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesMU\devdobec.exe

Filesize
2.6MB

MD5
9b4d00a62dd02aa17ad0fc2ccd08e069

SHA1
538ebc0455df64057fe5f4670c016dd5a2b0d213

SHA256
b03fa6ca3921c578db53f9918a8bd8fd91a4a42fc390a011e4d4a1c01daa0867

SHA512
bd14ecd4f60242085b50b1945ac6d6c0b7729beb21730aaa772c77fcf0aff59ec00717f1281e3f726be0f9007504de726f098fcf42b7476d44c46e6ff7fcd893

Download Submit
C:\GalaxQB\optixec.exe

Filesize
2.6MB

MD5
58782e467f90a62a4fee8517e5401b6e

SHA1
d235471655353b2b9826649a678f27dd34fef5d5

SHA256
5f6debff8fc4975b0a16042e2f491bd1556066a8eecd7908bd1a1d01563283ec

SHA512
5008cd2d409b74900cf23e2185dfdd7a5a86efd46a75fcc57d45c4d0e05d04b799df8133c8189611ffdea27185f2e414fdd16dce89530462d1130366606080d0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
54680e95feca2920f9e4e60da63245fa

SHA1
e5ce7dbade88a446775aa6184e2a1b029fad575c

SHA256
3a2f37585f492e3af61c9a85de14c628940d68b52fc0288c81c2e0d6f5dc1dae

SHA512
ada8273f13ea20cde35bcf8505691502d12317506dfa116c84c6dc9f274d6f7b8e04d0de707b434525849390b363716851d165e33ea9321c51c6d776cfc97dd0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
fd11ab6ac3349fcdc37b4c4e10dd0b20

SHA1
9979e6c4fa5cf94e3ea745f5b4c7e20bf86d867e

SHA256
8ef8d1f2cbac9636662af702dea91522913c486993ba8263c72ed51f9193ddcd

SHA512
3444a1120db49bc810567cde833b2106e10d105a636816e35f8153a0e4798d3e635d69761518196191331ee4cd45e33be7f7c851ce65f09846756ceda5887edd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
2.6MB

MD5
3b03f521f461e22b6e47b424aea58168

SHA1
9012281570f9ed5ecf38a4b24a5d2c76227c0dbb

SHA256
bb48a002361f4417e938a0d93be3b2054ca825d010169747778d6c4a52417db9

SHA512
9869647a584bdd88f604de9aebecafedb62e629c450a1918779a01e5c8f407819adf6b10240e7507bf8ebcdf4f8caf197a06ac7f3a7f4e472b91ce4abecffa21

Download Submit