3044648103885a8683399424c2b5463006e5543a361cbeaaf7687b99ea5d9b6d

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/05/2024, 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd21d072d73f62259ec9be7b99847e10_NEIKI.exe
Size

4.1MB
MD5

fd21d072d73f62259ec9be7b99847e10
SHA1

4a3923cede41a59cd1b2d2514ca78dc99eef1a8e
SHA256

3044648103885a8683399424c2b5463006e5543a361cbeaaf7687b99ea5d9b6d
SHA512

e59e9a6b6581fd9096a1d92a969096eff21381d279d434a0ffca68e6bded2e81b84385232a0250f5b26510cfb4c4455ee1fa17c154615e84c7a2dcc00effac31
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBpB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpSbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	fd21d072d73f62259ec9be7b99847e10_NEIKI.exe

Executes dropped EXE 2 IoCs

pid	Process
2632	ecaopti.exe
2616	xoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2240	fd21d072d73f62259ec9be7b99847e10_NEIKI.exe
2240	fd21d072d73f62259ec9be7b99847e10_NEIKI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files14\\xoptiloc.exe"	fd21d072d73f62259ec9be7b99847e10_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB7B\\boddevloc.exe"	fd21d072d73f62259ec9be7b99847e10_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2240	fd21d072d73f62259ec9be7b99847e10_NEIKI.exe
2240	fd21d072d73f62259ec9be7b99847e10_NEIKI.exe
2632	ecaopti.exe
2616	xoptiloc.exe
2632	ecaopti.exe
2616	xoptiloc.exe
2632	ecaopti.exe
2616	xoptiloc.exe
2632	ecaopti.exe
2616	xoptiloc.exe
2632	ecaopti.exe
2616	xoptiloc.exe
2632	ecaopti.exe
2616	xoptiloc.exe
2632	ecaopti.exe
2616	xoptiloc.exe
2632	ecaopti.exe
2616	xoptiloc.exe
2632	ecaopti.exe
2616	xoptiloc.exe
2632	ecaopti.exe
2616	xoptiloc.exe
2632	ecaopti.exe
2616	xoptiloc.exe
2632	ecaopti.exe
2616	xoptiloc.exe
2632	ecaopti.exe
2616	xoptiloc.exe
2632	ecaopti.exe
2616	xoptiloc.exe
2632	ecaopti.exe
2616	xoptiloc.exe
2632	ecaopti.exe
2616	xoptiloc.exe
2632	ecaopti.exe
2616	xoptiloc.exe
2632	ecaopti.exe
2616	xoptiloc.exe
2632	ecaopti.exe
2616	xoptiloc.exe
2632	ecaopti.exe
2616	xoptiloc.exe
2632	ecaopti.exe
2616	xoptiloc.exe
2632	ecaopti.exe
2616	xoptiloc.exe
2632	ecaopti.exe
2616	xoptiloc.exe
2632	ecaopti.exe
2616	xoptiloc.exe
2632	ecaopti.exe
2616	xoptiloc.exe
2632	ecaopti.exe
2616	xoptiloc.exe
2632	ecaopti.exe
2616	xoptiloc.exe
2632	ecaopti.exe
2616	xoptiloc.exe
2632	ecaopti.exe
2616	xoptiloc.exe
2632	ecaopti.exe
2616	xoptiloc.exe
2632	ecaopti.exe
2616	xoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2632	2240	fd21d072d73f62259ec9be7b99847e10_NEIKI.exe	28
PID 2240 wrote to memory of 2632	2240	fd21d072d73f62259ec9be7b99847e10_NEIKI.exe	28
PID 2240 wrote to memory of 2632	2240	fd21d072d73f62259ec9be7b99847e10_NEIKI.exe	28
PID 2240 wrote to memory of 2632	2240	fd21d072d73f62259ec9be7b99847e10_NEIKI.exe	28
PID 2240 wrote to memory of 2616	2240	fd21d072d73f62259ec9be7b99847e10_NEIKI.exe	29
PID 2240 wrote to memory of 2616	2240	fd21d072d73f62259ec9be7b99847e10_NEIKI.exe	29
PID 2240 wrote to memory of 2616	2240	fd21d072d73f62259ec9be7b99847e10_NEIKI.exe	29
PID 2240 wrote to memory of 2616	2240	fd21d072d73f62259ec9be7b99847e10_NEIKI.exe	29

C:\Users\Admin\AppData\Local\Temp\fd21d072d73f62259ec9be7b99847e10_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\fd21d072d73f62259ec9be7b99847e10_NEIKI.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2632
- C:\Files14\xoptiloc.exe
  C:\Files14\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files14\xoptiloc.exe

Filesize
4.1MB

MD5
fe52ef4759a3c46fe96e77e174c8a3dd

SHA1
c61cb47b42acb46ff5b8af0b5fc071d4aa1df99b

SHA256
d3532d046284ff5ebbca6b27fc8fb9ea0fb2e31295b8cb126024dfe760db94a6

SHA512
64cefa5b35c14c9a435ff0e7b28db159fa75351989bb0cd1856480b1565d49448d390aed589f5c3fb7dcc7eeae4549bb86a70fc20be11399c52f14af5c8ca471

Download Submit
C:\KaVB7B\boddevloc.exe

Filesize
8KB

MD5
b6a3be42755c871ed4a546b6cfb8e5e8

SHA1
45db3ee8541418f154843d4a791071b3c3c65177

SHA256
1b3fa51ede60d19459b442b532eb4b1d11097bb17170bf5ee14f3ea9b861a657

SHA512
a8da5f15c36d992cfc7ca775a317e0993eb466cea69d4ada5e081faf4966bd49fffeba4f7da600f3f85df157c088f8a8667bf63290d81e9aec5b08b27cd1e42e

Download Submit
C:\KaVB7B\boddevloc.exe

Filesize
4.1MB

MD5
46a91d4d6e74160c847e23d6591b1bed

SHA1
b537a8a78911625e27c7a7b364dd109612bb9bd4

SHA256
ce07f8b14fd279ab8c81d8e4c0e43bd2b9e52a3ef647a6991d6485a40c5dccac

SHA512
9b07305c198a977e119c0c6a9c73c0d494188099a7980652590b199ca26429eb0d0d6cab349afb59b291b7265ac8afb1f5ae1868e2593da4cdbb34caa0ea2ece

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
b63f35fd069afe7be731a1c4dfd07aa7

SHA1
9f5e17b7e0a868c237c37e0ed78af7cd56385e78

SHA256
f22c4be106c59aa3a94350f383a41688042dee3ffc72b4cbbf2cea3c788dad82

SHA512
651f5803c7cbd24d35d579f4e2d5bbac3caa56ead3ad4a97e2314372c23ef7b78aeab8ab26688a382a3067ffb789d0ed0bb192c00bca3c3325eee0f98af4fd45

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
750d49411920a8b6ce9cfe71cad654ad

SHA1
966cf1c208d1eb1b0140e292d025fc396dcc4397

SHA256
43915b354e92d1617d3d72ba986294f08e577259ddb1071cd2f765be95ff745e

SHA512
b1d9277ef7bdd3dd72279c45ec19b7caf61ddd028ddf9ec05637aa0a544a6033d696eed35c650309e519983aa25bc5496c2d17e6a560eb098a78dc77f6ea1407

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
4.1MB

MD5
9db375380f43c1bb281d0010f69f6c15

SHA1
245cdc063a1999dd3a291c2f264d85e85886fc16

SHA256
ed23dfb82b7946c8c0d138093fc6b1d69c7417a0fddfb12f1158e8683ed4385e

SHA512
d647e71b410011f6e5d7b909efbc77231f19f374436b516297de2be53127d9eb2d7b66056e1e13325fc28c6d8e6d85c438d8d3ef10c8320bc27bbfd926a44b8a

Download Submit