4b8a7cd089349bbc32b54d8664c4c31ff5160605ddc43b36e6736b706ee283f5

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/05/2024, 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af2e1781d70db947e04227d718512a00_NEIKI.exe
Size

4.1MB
MD5

af2e1781d70db947e04227d718512a00
SHA1

974b696644f5d5d164aa513805e25e44591e60b5
SHA256

4b8a7cd089349bbc32b54d8664c4c31ff5160605ddc43b36e6736b706ee283f5
SHA512

9234dc8afbd9b3cb9a9e828c01d2d979be46ebc2d0205467760c9627a93a4e6260e8299248927b45555fac9dd1fe5d3137ae76c5a5b37adf27f391c35b473982
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpybVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	af2e1781d70db947e04227d718512a00_NEIKI.exe

Executes dropped EXE 2 IoCs

pid	Process
2340	sysxbod.exe
1116	adobec.exe

Loads dropped DLL 2 IoCs

pid	Process
1776	af2e1781d70db947e04227d718512a00_NEIKI.exe
1776	af2e1781d70db947e04227d718512a00_NEIKI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc29\\adobec.exe"	af2e1781d70db947e04227d718512a00_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintEM\\optixec.exe"	af2e1781d70db947e04227d718512a00_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1776	af2e1781d70db947e04227d718512a00_NEIKI.exe
1776	af2e1781d70db947e04227d718512a00_NEIKI.exe
2340	sysxbod.exe
1116	adobec.exe
2340	sysxbod.exe
1116	adobec.exe
2340	sysxbod.exe
1116	adobec.exe
2340	sysxbod.exe
1116	adobec.exe
2340	sysxbod.exe
1116	adobec.exe
2340	sysxbod.exe
1116	adobec.exe
2340	sysxbod.exe
1116	adobec.exe
2340	sysxbod.exe
1116	adobec.exe
2340	sysxbod.exe
1116	adobec.exe
2340	sysxbod.exe
1116	adobec.exe
2340	sysxbod.exe
1116	adobec.exe
2340	sysxbod.exe
1116	adobec.exe
2340	sysxbod.exe
1116	adobec.exe
2340	sysxbod.exe
1116	adobec.exe
2340	sysxbod.exe
1116	adobec.exe
2340	sysxbod.exe
1116	adobec.exe
2340	sysxbod.exe
1116	adobec.exe
2340	sysxbod.exe
1116	adobec.exe
2340	sysxbod.exe
1116	adobec.exe
2340	sysxbod.exe
1116	adobec.exe
2340	sysxbod.exe
1116	adobec.exe
2340	sysxbod.exe
1116	adobec.exe
2340	sysxbod.exe
1116	adobec.exe
2340	sysxbod.exe
1116	adobec.exe
2340	sysxbod.exe
1116	adobec.exe
2340	sysxbod.exe
1116	adobec.exe
2340	sysxbod.exe
1116	adobec.exe
2340	sysxbod.exe
1116	adobec.exe
2340	sysxbod.exe
1116	adobec.exe
2340	sysxbod.exe
1116	adobec.exe
2340	sysxbod.exe
1116	adobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 2340	1776	af2e1781d70db947e04227d718512a00_NEIKI.exe	30
PID 1776 wrote to memory of 2340	1776	af2e1781d70db947e04227d718512a00_NEIKI.exe	30
PID 1776 wrote to memory of 2340	1776	af2e1781d70db947e04227d718512a00_NEIKI.exe	30
PID 1776 wrote to memory of 2340	1776	af2e1781d70db947e04227d718512a00_NEIKI.exe	30
PID 1776 wrote to memory of 1116	1776	af2e1781d70db947e04227d718512a00_NEIKI.exe	31
PID 1776 wrote to memory of 1116	1776	af2e1781d70db947e04227d718512a00_NEIKI.exe	31
PID 1776 wrote to memory of 1116	1776	af2e1781d70db947e04227d718512a00_NEIKI.exe	31
PID 1776 wrote to memory of 1116	1776	af2e1781d70db947e04227d718512a00_NEIKI.exe	31

C:\Users\Admin\AppData\Local\Temp\af2e1781d70db947e04227d718512a00_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\af2e1781d70db947e04227d718512a00_NEIKI.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2340
- C:\Intelproc29\adobec.exe
  C:\Intelproc29\adobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc29\adobec.exe

Filesize
4.1MB

MD5
74b0dec58517e4d02ffd20d1e966aefb

SHA1
54173fc1a3637ed1ea2f1d9742f67a62ce40d0f7

SHA256
84c2e4d5988c7d18867e02063e7b83985514b05a7813d5ce298d6d1c94f09b69

SHA512
f2ce34a2f50c9d8a5547525aae821944b68e06c20ccde213f188fe7e39f88b3144fae800c9f24f13f54173b262e3078b14797abca48cdbe42c613a1ce3a9c97a

Download Submit
C:\MintEM\optixec.exe

Filesize
4.1MB

MD5
7da5688e8e93697580c1dd831a77dfa1

SHA1
917c5cfaa6772f2fb1d7163ad303f8b19e1ce68a

SHA256
a49dcec4ae28548304698c775ffb75ef6fad478ab8be0e0d83b720e557864aec

SHA512
30f296f92629d656816f8281ca856ec4814bb1337e9222b818bf7c84fdd3f7f1c21363d2ab9e86ae6e28291d27f32f7e5a70d825e0dae2dc15795f5594d3684c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
eea35f371f120f9249a28206f2d77d01

SHA1
68e658abe1a2666cd5c08cb50d770b7480dd5e8f

SHA256
b422de824437c7e42329b59b8557dc046f0e7cd62d83e7283d09ebbc141bbcf4

SHA512
752272c2412c5ca0bd02be3b0ed17dc864c4c1c0ef0f74d8702be0f6932cec5b9dddc1da2970957d8a333fd7a041f380cf34d63c1274f82dcbd4afbedef0c66a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
7d9cc098ce0d169f6a94335a0ea5fbc1

SHA1
cb187fbaa0c905c1ca651d78de2055d04da4e738

SHA256
1abb8dcd52219f10732058f0501e4af1ca53019ae63a97b57a3722e122559eaa

SHA512
2bb818b0eed6ce6dff017e94f9aca7bf5624276c8d9faea8f44cbba16178ab98b9184949eb0538e6650e7a26714cfe8f7ca8003214a136aa9425825c75f9a436

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
4.1MB

MD5
7e72293e3065757adbac8851e262e6bc

SHA1
6473f99a88c18695086237a4fb378fff289225c7

SHA256
072841562b4aa00e535c771b1eb0a9a7481c82269be2633eae250e54a4d49b78

SHA512
2f7cf1cb41cc58fb0d6d8cc87cffb9a11da4dd313e2ae3ce6a126b2d750c96f167c8d6c697b1237838185c33e19b336814e0c4fad6f0ccc4066786e822068942

Download Submit