b05d4ea10eb6c4283ced396fa75a8d456158de02b70bbab5504c691fc0fd121f

Analysis

max time kernel
150s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe
Size

4.1MB
MD5

3a26230f5ced7430f4e21c14aa71a200
SHA1

f55a90ee18222475e28993254a7a03337dfd7438
SHA256

b05d4ea10eb6c4283ced396fa75a8d456158de02b70bbab5504c691fc0fd121f
SHA512

6e4aab2230a84ecae2fa93ffccfed5110e8ffa304305c9880cb8a5fe05e7f943401df08c89f613b8e680ab51c267d0773c0cfb25a2a0976dbf9ee84f11e65b85
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBjB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpkbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe	3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe

Executes dropped EXE 2 IoCs

pid	Process
4940	sysxopti.exe
1180	devdobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeOU\\devdobloc.exe"	3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZPG\\bodxec.exe"	3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
808	3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe
808	3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe
808	3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe
808	3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe
4940	sysxopti.exe
4940	sysxopti.exe
1180	devdobloc.exe
1180	devdobloc.exe
4940	sysxopti.exe
4940	sysxopti.exe
1180	devdobloc.exe
1180	devdobloc.exe
4940	sysxopti.exe
4940	sysxopti.exe
1180	devdobloc.exe
1180	devdobloc.exe
4940	sysxopti.exe
4940	sysxopti.exe
1180	devdobloc.exe
1180	devdobloc.exe
4940	sysxopti.exe
4940	sysxopti.exe
1180	devdobloc.exe
1180	devdobloc.exe
4940	sysxopti.exe
4940	sysxopti.exe
1180	devdobloc.exe
1180	devdobloc.exe
4940	sysxopti.exe
4940	sysxopti.exe
1180	devdobloc.exe
1180	devdobloc.exe
4940	sysxopti.exe
4940	sysxopti.exe
1180	devdobloc.exe
1180	devdobloc.exe
4940	sysxopti.exe
4940	sysxopti.exe
1180	devdobloc.exe
1180	devdobloc.exe
4940	sysxopti.exe
4940	sysxopti.exe
1180	devdobloc.exe
1180	devdobloc.exe
4940	sysxopti.exe
4940	sysxopti.exe
1180	devdobloc.exe
1180	devdobloc.exe
4940	sysxopti.exe
4940	sysxopti.exe
1180	devdobloc.exe
1180	devdobloc.exe
4940	sysxopti.exe
4940	sysxopti.exe
1180	devdobloc.exe
1180	devdobloc.exe
4940	sysxopti.exe
4940	sysxopti.exe
1180	devdobloc.exe
1180	devdobloc.exe
4940	sysxopti.exe
4940	sysxopti.exe
1180	devdobloc.exe
1180	devdobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 4940	808	3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe	92
PID 808 wrote to memory of 4940	808	3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe	92
PID 808 wrote to memory of 4940	808	3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe	92
PID 808 wrote to memory of 1180	808	3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe	94
PID 808 wrote to memory of 1180	808	3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe	94
PID 808 wrote to memory of 1180	808	3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe	94

C:\Users\Admin\AppData\Local\Temp\3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:808
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4940
- C:\AdobeOU\devdobloc.exe
  C:\AdobeOU\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeOU\devdobloc.exe

Filesize
3.1MB

MD5
fe960c4686df1b7b7c6a3bf17e050030

SHA1
6b5324153bf4aafbded07a91864ac4d2bc55bb4a

SHA256
1ecd0481992c422ff54b358777c1b93efe5f6daec1285d9e0a8f22c6ec5ae96d

SHA512
dcf7fe29662dfbc2fb150d3c81f9f28444fcaba97aebc3f9d094ea06f3f2682b6056d662439722f9c28d5856392e68c09d5c1a7bc1ffe011fc256daf0f62f250

Download Submit
C:\AdobeOU\devdobloc.exe

Filesize
4.1MB

MD5
ca125248ac5faaca9670bfd680631d38

SHA1
db92f0dc27b417bcded5bf8ab46741516e4cfb0a

SHA256
43d52c37ddbfe6cb4d63cb2df164807e9784811f7817d195ef1c1f539dab6a11

SHA512
90447342de93f2d8aee23fdc06f3d90d94fe9bad2be66cab053d61033461725e09fb1abe919bc46956386a6991b695a49d2264ec0a1822371ad643ed3630f803

Download Submit
C:\LabZPG\bodxec.exe

Filesize
768B

MD5
e774f7cc8e37fa166ef18ab0a9d60e16

SHA1
4f77bd3e512d5c12146e7f35e7b5be0d4b3a7e02

SHA256
e08f08f119187de09e0eb330f47bdacab8845a072489dac413bc443bf7bef16d

SHA512
2dd43695435871a25ff809c6279e5acbd0310ef0104f68ae01a2cacae71f5075c76cc04881d84790189cb7418f3494019a67bf7e283cd1d9a3fb0faaa406918e

Download Submit
C:\LabZPG\bodxec.exe

Filesize
4.1MB

MD5
8dfc47f155261bc23477ce09f0cc86e9

SHA1
8838ecab10f21a31b324a0a14328f7e98df06c9f

SHA256
d3161c0b70615187e403cb92f689af2b42242589fded1b4e2735b4c150e588f6

SHA512
5c4ea16965f99d15b9326f278a41a9bf27c77631e28fef00062557c6703e4a9cced7bb428b1192dce5d54ab1414edefcdd8959999541e49cfb92f533e9ab585e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
5521bb4bf79301bac32581e895ede7b0

SHA1
11bc09552814be908607a3196d07f61ac56c789e

SHA256
5c5e5dc369401e00ba716207f4ae6a0f89165919f7bae1ae4e614de983b29200

SHA512
994a18dc78fd7883c1176236488310d089fc79d291da807db4c89ea23ee20626f515eb5080434740bccc8b7d333b5cc91ef383707506285b8d2879ae0da22cac

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
492a69c691325ff246c1ad5b392897ec

SHA1
aed0b2c6e07cf4282781fc24e1043f3173d72f80

SHA256
13bf73b70aef48ba6eb0ec01b1fc1db37c71df67040c1561b447753a4003f1bb

SHA512
cf6aa1c7a5ba622d069ee606ef5077924e61a26445b1a1d491bba885316477f715fd064b322739cd0be8247075d7c97c9e4c120a226c53d9915c4b10f776f880

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

Filesize
4.1MB

MD5
3d243e491ba194d9266db8e0bf4da139

SHA1
b5c42395f846d023229c3f9b567d4e793ca3b52e

SHA256
8d8e9019471a2105b7f6beb8e86ff30286d2fcf9ee5f663ebaa103bf49f49895

SHA512
f02c119ecf8c73d7250fc5b608e5e6bb58da9873e7cf3f99638b4ebdcc10553a1e8c1fc102e7bbfa5f25aced880e9662c07fe727e8ff972f0b4fbae8741c3922

Download Submit