6410ebc2883335b7e5290ce3a73cd38357ea50b9d1f54d03a7d0a56891cd0fe6

Analysis

max time kernel
149s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 03:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b3a8d4d0de5a9a45dc041c981c52e7e0_NEIKI.exe
Size

3.1MB
MD5

b3a8d4d0de5a9a45dc041c981c52e7e0
SHA1

29fa54b696dd924d2d63e189b5901907d7f50a59
SHA256

6410ebc2883335b7e5290ce3a73cd38357ea50b9d1f54d03a7d0a56891cd0fe6
SHA512

0cec267f83bf454952599d51734de917b9b6372fa9a4c32cc351fa07874570930153a98dcb9e80a0376bd61aafcf6638a51b6aa5f3a4b2f7fc5c7309c75e2398
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUptbVz8eLFc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	b3a8d4d0de5a9a45dc041c981c52e7e0_NEIKI.exe

Executes dropped EXE 2 IoCs

pid	Process
4988	sysaopti.exe
2664	xbodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotOE\\xbodloc.exe"	b3a8d4d0de5a9a45dc041c981c52e7e0_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZH4\\bodxloc.exe"	b3a8d4d0de5a9a45dc041c981c52e7e0_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
740	b3a8d4d0de5a9a45dc041c981c52e7e0_NEIKI.exe
740	b3a8d4d0de5a9a45dc041c981c52e7e0_NEIKI.exe
740	b3a8d4d0de5a9a45dc041c981c52e7e0_NEIKI.exe
740	b3a8d4d0de5a9a45dc041c981c52e7e0_NEIKI.exe
4988	sysaopti.exe
4988	sysaopti.exe
2664	xbodloc.exe
2664	xbodloc.exe
4988	sysaopti.exe
4988	sysaopti.exe
2664	xbodloc.exe
2664	xbodloc.exe
4988	sysaopti.exe
4988	sysaopti.exe
2664	xbodloc.exe
2664	xbodloc.exe
4988	sysaopti.exe
4988	sysaopti.exe
2664	xbodloc.exe
2664	xbodloc.exe
4988	sysaopti.exe
4988	sysaopti.exe
2664	xbodloc.exe
2664	xbodloc.exe
4988	sysaopti.exe
4988	sysaopti.exe
2664	xbodloc.exe
2664	xbodloc.exe
4988	sysaopti.exe
4988	sysaopti.exe
2664	xbodloc.exe
2664	xbodloc.exe
4988	sysaopti.exe
4988	sysaopti.exe
2664	xbodloc.exe
2664	xbodloc.exe
4988	sysaopti.exe
4988	sysaopti.exe
2664	xbodloc.exe
2664	xbodloc.exe
4988	sysaopti.exe
4988	sysaopti.exe
2664	xbodloc.exe
2664	xbodloc.exe
4988	sysaopti.exe
4988	sysaopti.exe
2664	xbodloc.exe
2664	xbodloc.exe
4988	sysaopti.exe
4988	sysaopti.exe
2664	xbodloc.exe
2664	xbodloc.exe
4988	sysaopti.exe
4988	sysaopti.exe
2664	xbodloc.exe
2664	xbodloc.exe
4988	sysaopti.exe
4988	sysaopti.exe
2664	xbodloc.exe
2664	xbodloc.exe
4988	sysaopti.exe
4988	sysaopti.exe
2664	xbodloc.exe
2664	xbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 4988	740	b3a8d4d0de5a9a45dc041c981c52e7e0_NEIKI.exe	92
PID 740 wrote to memory of 4988	740	b3a8d4d0de5a9a45dc041c981c52e7e0_NEIKI.exe	92
PID 740 wrote to memory of 4988	740	b3a8d4d0de5a9a45dc041c981c52e7e0_NEIKI.exe	92
PID 740 wrote to memory of 2664	740	b3a8d4d0de5a9a45dc041c981c52e7e0_NEIKI.exe	95
PID 740 wrote to memory of 2664	740	b3a8d4d0de5a9a45dc041c981c52e7e0_NEIKI.exe	95
PID 740 wrote to memory of 2664	740	b3a8d4d0de5a9a45dc041c981c52e7e0_NEIKI.exe	95

C:\Users\Admin\AppData\Local\Temp\b3a8d4d0de5a9a45dc041c981c52e7e0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\b3a8d4d0de5a9a45dc041c981c52e7e0_NEIKI.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:740
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4988
- C:\UserDotOE\xbodloc.exe
  C:\UserDotOE\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZH4\bodxloc.exe

Filesize
3.1MB

MD5
9917d5a979dc9c71dcdf10f1515fc225

SHA1
2caeb3f1c24231d805c9d4fceb0f4ad6a4fb5d9d

SHA256
85dbf45f5a6736d171eadd94edf618efe5ac4ef3393b2122c0a1d5931269a40b

SHA512
b5d883e7c826957bfe8df59905783c4e1679614bde9149c51145ef91b126cc263ab1ffc444287898a6c49f8af41f7d9054db53a1f24a58da4669cc0d21875681

Download Submit
C:\LabZH4\bodxloc.exe

Filesize
398KB

MD5
213b27a6dcf5c36d15c196a29634c8c4

SHA1
98015e32443106939e6453c3bf05c9ad9a83646f

SHA256
df7b23709e8adbc6e9dc2ff054b0f03a30d1e5a2eb8ace018f6e68e4d6745693

SHA512
876515372a12810f2c13f36d06f9a1acabfe2882a0236960dee481445fc5702fcb765b7ed95a2a32988fcf98029538d7ca15f5d9650cdb46f068808b8c91b238

Download Submit
C:\UserDotOE\xbodloc.exe

Filesize
3.1MB

MD5
2263aff6ca8f7a10774b82bcf9e8c292

SHA1
5e71285036a41ef350f42bef8548cd30690774cf

SHA256
64fabd1dc3b25320b18b012a329f6add79089e9c5c87b072cb154b1bd4a7af0b

SHA512
e52d5a37d076db9fe5fbc4cb184c78c0cb3b8d82c8e1d0c246c803b2fe35223d0d4e9b2b61f06e485ecacc1cc50a1644f31a373f08d4fc02df152dd70deac1ee

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
39e538e426473d334ebcae4d309bb5d8

SHA1
ca4b62b18a47579cb388fa587d68ab7637030841

SHA256
64de38c0c90a2a40fb1b50f959fea6bfa84ffb9f69997fa0b141567d51f678fa

SHA512
d292cd1a989568ac2e6cd6ef3e05ab6677fe8bebe902290e5688fdf11bc571a2a9063dbefdcab566cf5fd85e41a1db0d7b90fd130cbcdae2e8e424073985cd54

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
6e910dcc92b8a425579b5eacd079225b

SHA1
3671f4268865c476e358888930e0f05dbbf7c4cc

SHA256
2554f24cf009283caaa4088a881a556bdd47f8c7cf44bb17cf20e95f0f9cadd1

SHA512
48de897b5e914219638cf0a0de3aab30c6d1e5b4f661ab30f3697b29c073683bc730f4694de6423fad0a9b3710c80eca1d1afea76472b95e7adc4ea5cb6aed37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
3.1MB

MD5
bce01947bd2808e0f1f86d54da4ec661

SHA1
72aa61816c0d5e131f0da8b68bc37a134933b93a

SHA256
b6b3b29489c60ba6ce40830888e65f82d02382342570b82e9b53033ccf9d87d0

SHA512
7e3b8707f187bd39d2e161843c7508f7f57ec9d9ac0734c8153b686d881d759c83c4b7baaabbf22a7265f29dbd2586991b86d4aa2f2438fca79f9022101dc75a

Download Submit