1e3ce732bafbd6fa9a2cf4b65c26673bbeb7876f28471e286b5391372fc03ed3

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 06:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fdd44bac2faf33abdb6eec8671175140_NEIKI.exe
Size

3.0MB
MD5

fdd44bac2faf33abdb6eec8671175140
SHA1

22e2b8839b98888c4e210925ad0ebca53b0a1d08
SHA256

1e3ce732bafbd6fa9a2cf4b65c26673bbeb7876f28471e286b5391372fc03ed3
SHA512

ea65d344b006d90021b749983f785dea8ed30d9058a041376a9d5aaf40fecbee77555a0d05275f9512964b07f2327505b80a463f4bb30e441714ebe17663757a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bSqz8:sxX7QnxrloE5dpUpEbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe	fdd44bac2faf33abdb6eec8671175140_NEIKI.exe

Executes dropped EXE 2 IoCs

pid	Process
3340	ecxbod.exe
688	aoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxW2\\optialoc.exe"	fdd44bac2faf33abdb6eec8671175140_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesC3\\aoptiec.exe"	fdd44bac2faf33abdb6eec8671175140_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1940	fdd44bac2faf33abdb6eec8671175140_NEIKI.exe
1940	fdd44bac2faf33abdb6eec8671175140_NEIKI.exe
1940	fdd44bac2faf33abdb6eec8671175140_NEIKI.exe
1940	fdd44bac2faf33abdb6eec8671175140_NEIKI.exe
3340	ecxbod.exe
3340	ecxbod.exe
688	aoptiec.exe
688	aoptiec.exe
3340	ecxbod.exe
3340	ecxbod.exe
688	aoptiec.exe
688	aoptiec.exe
3340	ecxbod.exe
3340	ecxbod.exe
688	aoptiec.exe
688	aoptiec.exe
3340	ecxbod.exe
3340	ecxbod.exe
688	aoptiec.exe
688	aoptiec.exe
3340	ecxbod.exe
3340	ecxbod.exe
688	aoptiec.exe
688	aoptiec.exe
3340	ecxbod.exe
3340	ecxbod.exe
688	aoptiec.exe
688	aoptiec.exe
3340	ecxbod.exe
3340	ecxbod.exe
688	aoptiec.exe
688	aoptiec.exe
3340	ecxbod.exe
3340	ecxbod.exe
688	aoptiec.exe
688	aoptiec.exe
3340	ecxbod.exe
3340	ecxbod.exe
688	aoptiec.exe
688	aoptiec.exe
3340	ecxbod.exe
3340	ecxbod.exe
688	aoptiec.exe
688	aoptiec.exe
3340	ecxbod.exe
3340	ecxbod.exe
688	aoptiec.exe
688	aoptiec.exe
3340	ecxbod.exe
3340	ecxbod.exe
688	aoptiec.exe
688	aoptiec.exe
3340	ecxbod.exe
3340	ecxbod.exe
688	aoptiec.exe
688	aoptiec.exe
3340	ecxbod.exe
3340	ecxbod.exe
688	aoptiec.exe
688	aoptiec.exe
3340	ecxbod.exe
3340	ecxbod.exe
688	aoptiec.exe
688	aoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 3340	1940	fdd44bac2faf33abdb6eec8671175140_NEIKI.exe	89
PID 1940 wrote to memory of 3340	1940	fdd44bac2faf33abdb6eec8671175140_NEIKI.exe	89
PID 1940 wrote to memory of 3340	1940	fdd44bac2faf33abdb6eec8671175140_NEIKI.exe	89
PID 1940 wrote to memory of 688	1940	fdd44bac2faf33abdb6eec8671175140_NEIKI.exe	91
PID 1940 wrote to memory of 688	1940	fdd44bac2faf33abdb6eec8671175140_NEIKI.exe	91
PID 1940 wrote to memory of 688	1940	fdd44bac2faf33abdb6eec8671175140_NEIKI.exe	91

C:\Users\Admin\AppData\Local\Temp\fdd44bac2faf33abdb6eec8671175140_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\fdd44bac2faf33abdb6eec8671175140_NEIKI.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3340
- C:\FilesC3\aoptiec.exe
  C:\FilesC3\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesC3\aoptiec.exe

Filesize
3.0MB

MD5
9ca8f142621bd2434780dbc8168f2e3e

SHA1
5b7a9328d82eaf7ce6f2ebb0237641c4b5d5648c

SHA256
68c5eac1daaabf411f0a10f59b861ef20d4da1303c60282bf70892ee7303bad8

SHA512
d3afeaf2812b248e04a3a6ac2723c1a212ce1f49ac9f9ff8599f200e3f11e21234e4008ebe27c712f64022257703f002e3490103de7a266287c423ba83947cff

Download Submit
C:\GalaxW2\optialoc.exe

Filesize
3.0MB

MD5
e1a04447b536ec19eba79a02d31bdff4

SHA1
c4b5220d1065fb468e05cf71f4fa3781da4c9c72

SHA256
47de79f7693ae6215906f8d4e5c87b99152f8ab1da3a0e6aae2726de80210d8c

SHA512
05c820087c2101bc201a6d4b0cdf8c8340135c9caeb618d7dcebf515730cb08c4e4c7cc5efb7e650ef28715d00195a93afbeaa080e83417c6155189022933758

Download Submit
C:\GalaxW2\optialoc.exe

Filesize
3.0MB

MD5
cb429afe6b351092be6adb072e74d642

SHA1
18e29955c02e2678477a7657ae7afc750a2e5f0e

SHA256
61d540ce49939b976108fa64d2943d88c302648d1d4be7450c45051372f924ef

SHA512
9be4a0bc0b9cef06fdc550a3961bb2b0cc766302256d16eb00106c5f5eeeaebbd7d8623d886abd1a905009493fb6d7a135629f3be91a7ba40f29e4e71f121194

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
1c8464d0ae08b5131525b9d4ef284671

SHA1
9d157391933de76219ea79283e844e338ebad648

SHA256
6db426a46f88f31ddd494ff0e6a6caa682a2e38a761aaf95be9fa4b07fc13e71

SHA512
86985602879fca47abf576005c3f70b1810b00f39c46f0b81eb0ae5d4b3f7ea5b90be2bea73949b61551dd7bf56d3424f0c1697fa62aaff629643c78cf5db391

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
d4adf8690694c3194384b89ab4fb6e0e

SHA1
ff238d3990fe49b80322499c3369746f1ecaf5c0

SHA256
644343c4787797022a86deb513a9f3750f01f0765b9fac91c2630cde76562cb4

SHA512
f03bc6e8a7271ffd8d6ee106a5728946ef80b56b3a3da32edcc2aa97d48285cdfb99c3deb893233c9a509231972b2843afebdcd32c72bde49635eff6def33a15

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

Filesize
3.0MB

MD5
2e5586f0a235f9f49159ac6e4f51c565

SHA1
18c012ea3a71960e4062eb42700f437f9c327625

SHA256
26c3002cad9ddf7864719a9cab4b97628491f121308989e2c0b0217486e48d92

SHA512
3af56555366fc45f2a24d9db2a11f2a0338aec71ead67a57dab9cb53d3e4381c8673cb1f9fee855712c02abea18b9d99ebbcc5869bf9fc4fa0c8ab31b14fd97c

Download Submit