Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
08/05/2024, 09:01
Static task
static1
Behavioral task
behavioral1
Sample
3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe
Resource
win10v2004-20240419-en
General
-
Target
3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe
-
Size
4.1MB
-
MD5
3a26230f5ced7430f4e21c14aa71a200
-
SHA1
f55a90ee18222475e28993254a7a03337dfd7438
-
SHA256
b05d4ea10eb6c4283ced396fa75a8d456158de02b70bbab5504c691fc0fd121f
-
SHA512
6e4aab2230a84ecae2fa93ffccfed5110e8ffa304305c9880cb8a5fe05e7f943401df08c89f613b8e680ab51c267d0773c0cfb25a2a0976dbf9ee84f11e65b85
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBjB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpkbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe 3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe -
Executes dropped EXE 2 IoCs
pid Process 1724 locdevbod.exe 2696 devbodec.exe -
Loads dropped DLL 2 IoCs
pid Process 1648 3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe 1648 3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvKG\\devbodec.exe" 3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintBQ\\dobaec.exe" 3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1648 3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe 1648 3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe 1724 locdevbod.exe 2696 devbodec.exe 1724 locdevbod.exe 2696 devbodec.exe 1724 locdevbod.exe 2696 devbodec.exe 1724 locdevbod.exe 2696 devbodec.exe 1724 locdevbod.exe 2696 devbodec.exe 1724 locdevbod.exe 2696 devbodec.exe 1724 locdevbod.exe 2696 devbodec.exe 1724 locdevbod.exe 2696 devbodec.exe 1724 locdevbod.exe 2696 devbodec.exe 1724 locdevbod.exe 2696 devbodec.exe 1724 locdevbod.exe 2696 devbodec.exe 1724 locdevbod.exe 2696 devbodec.exe 1724 locdevbod.exe 2696 devbodec.exe 1724 locdevbod.exe 2696 devbodec.exe 1724 locdevbod.exe 2696 devbodec.exe 1724 locdevbod.exe 2696 devbodec.exe 1724 locdevbod.exe 2696 devbodec.exe 1724 locdevbod.exe 2696 devbodec.exe 1724 locdevbod.exe 2696 devbodec.exe 1724 locdevbod.exe 2696 devbodec.exe 1724 locdevbod.exe 2696 devbodec.exe 1724 locdevbod.exe 2696 devbodec.exe 1724 locdevbod.exe 2696 devbodec.exe 1724 locdevbod.exe 2696 devbodec.exe 1724 locdevbod.exe 2696 devbodec.exe 1724 locdevbod.exe 2696 devbodec.exe 1724 locdevbod.exe 2696 devbodec.exe 1724 locdevbod.exe 2696 devbodec.exe 1724 locdevbod.exe 2696 devbodec.exe 1724 locdevbod.exe 2696 devbodec.exe 1724 locdevbod.exe 2696 devbodec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1648 wrote to memory of 1724 1648 3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe 28 PID 1648 wrote to memory of 1724 1648 3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe 28 PID 1648 wrote to memory of 1724 1648 3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe 28 PID 1648 wrote to memory of 1724 1648 3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe 28 PID 1648 wrote to memory of 2696 1648 3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe 29 PID 1648 wrote to memory of 2696 1648 3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe 29 PID 1648 wrote to memory of 2696 1648 3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe 29 PID 1648 wrote to memory of 2696 1648 3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1724
-
-
C:\SysDrvKG\devbodec.exeC:\SysDrvKG\devbodec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2696
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.1MB
MD5e7948d9195c7e01ccd8f297b2467b796
SHA1e55fca4c517727193491b0f5e5f1ea5c5ac45c10
SHA256bdb4495367e68d4121f76a20e905af824e043eb7a14ecf2be35a690d05cfee43
SHA51233b423ce61f0a21eaa95442042e55022879551b217eebe2b045c648b091592ea7e220ce7d1a5250a6cd85eb35d334a9fa2ef0701716767810e7896caa9395d5b
-
Filesize
4.1MB
MD51aecd214379dc8280383ac51e546cbe9
SHA1f8aac5ee656b61323d5239cc222b185f5b921292
SHA2562bcbfb0f953629e9e19c85f022a61c9d15929ca2a23324978f7a4088b02dfb0f
SHA5126bc5f9e12894454c94e8f5e26839ce3a34dc5a8f392eff9c9c1692bc28172dabca6c928732e45cceaff7d3bd93bba22f5b30cc8f1f3af557f985b43dda3755e0
-
Filesize
4.1MB
MD52d50c6561de6b225742ed32cebe4bd62
SHA1fdf64a1be951a9db8ef7b6127c04def4cbc4a3d0
SHA256098c8bb243c31def1330c0e159883b92b13b246c7bb1f05f5b6b10249edd7bdd
SHA512c9bb34ebabcafde2b44a75b8db67214b19179ab4e4a24e28e0f5c692fece72a9eeec9adda383b9453cb66a58fb29739d44ebb0ab8911bd98353253ae1a82f1d4
-
Filesize
171B
MD52b5d8d6cdc800372c90a535cdd2c90a7
SHA1b23d4ab6f2544566441bd54ce649c51daca96ec0
SHA2563534bac621cfaabd9abbb6cfe631104966fada14c7c76badcceaed94bc8a8f34
SHA51245349a960b9796063a9ac79a381f2e649076c63a18e3b8c285eebebcab7323a4a58e7668eeeb29cacb404d35b85b6d3062a9505babe9088ccf8d7be72e9e999e
-
Filesize
203B
MD5bd674f9a9bbf1c4fc804c936962e730b
SHA186bc414a26495ee0c14c2fc5007296e0c6d19c52
SHA256d26578129a34d600af2960c1cf10f939ef3b27a1195e9dd1fbc50ab81a9cc57f
SHA512b63a5fb685176bb8016998b4fc0cc042c273cc9f421042832c957bc4c03f2ab4263458fa50f500287aeae0420049cb779c04ff8d66af2e683ee19beaa95b11d2
-
Filesize
4.1MB
MD5529edbbe09bac7a3ae276af4ef0c0731
SHA10d10c74e731a3330a0f9181b37dde3542f3dc3e0
SHA256a3f4993ba4a6cb5c4278c7e1e1b6f45b8d9bec4b8833bf5c2ac0d247c937a2f8
SHA5120943ab18a88a2a8562e361adaf7a41daf9f4313d742feb3dafd6051036a3561c73d8f07543f3574ef23eaca9a52e7c812c825cba9da75a79f4d7862222dda49f