75d13e6ffce32c4c8b1b53156c9692b5da60151f1d16ae1561e4e555cfa5f2a7

Analysis

max time kernel
120s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 19:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1ca9c307cc30c9ce41044a83e4395d40_NEIKI.exe
Size

2.0MB
MD5

1ca9c307cc30c9ce41044a83e4395d40
SHA1

5e38af8c60299a5ff513b68122010bc356320c08
SHA256

75d13e6ffce32c4c8b1b53156c9692b5da60151f1d16ae1561e4e555cfa5f2a7
SHA512

a78c33e1d73cf878caf61785b65d83d2aa2153feab725497507171609709eacab95a8f84784d728ffbc54b52b702930908251f0b259d3a5caedec7c78cf7f7e7
SSDEEP

49152:h1OsDCn3b0sdq9tVkWMq0vdovSHhXXruA:h1O7nL0sitVkWX0vVl5

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4736	0DnZK4JvB5GNGWb.exe

Loads dropped DLL 3 IoCs

pid	Process
4736	0DnZK4JvB5GNGWb.exe
3496	regsvr32.exe
3140	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\epbkgkdncdleajcmbijdlancknilnibn\1.0\manifest.json	0DnZK4JvB5GNGWb.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\epbkgkdncdleajcmbijdlancknilnibn\1.0\manifest.json	0DnZK4JvB5GNGWb.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\epbkgkdncdleajcmbijdlancknilnibn\1.0\manifest.json	0DnZK4JvB5GNGWb.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\epbkgkdncdleajcmbijdlancknilnibn\1.0\manifest.json	0DnZK4JvB5GNGWb.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\epbkgkdncdleajcmbijdlancknilnibn\1.0\manifest.json	0DnZK4JvB5GNGWb.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	0DnZK4JvB5GNGWb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	0DnZK4JvB5GNGWb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	0DnZK4JvB5GNGWb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	0DnZK4JvB5GNGWb.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\YoutoubEAdBlooccKe\MycB8exRDL3wde.dat	0DnZK4JvB5GNGWb.exe
File opened for modification	C:\Program Files (x86)\YoutoubEAdBlooccKe\MycB8exRDL3wde.dat	0DnZK4JvB5GNGWb.exe
File created	C:\Program Files (x86)\YoutoubEAdBlooccKe\MycB8exRDL3wde.x64.dll	0DnZK4JvB5GNGWb.exe
File opened for modification	C:\Program Files (x86)\YoutoubEAdBlooccKe\MycB8exRDL3wde.x64.dll	0DnZK4JvB5GNGWb.exe
File created	C:\Program Files (x86)\YoutoubEAdBlooccKe\MycB8exRDL3wde.dll	0DnZK4JvB5GNGWb.exe
File opened for modification	C:\Program Files (x86)\YoutoubEAdBlooccKe\MycB8exRDL3wde.dll	0DnZK4JvB5GNGWb.exe
File created	C:\Program Files (x86)\YoutoubEAdBlooccKe\MycB8exRDL3wde.tlb	0DnZK4JvB5GNGWb.exe
File opened for modification	C:\Program Files (x86)\YoutoubEAdBlooccKe\MycB8exRDL3wde.tlb	0DnZK4JvB5GNGWb.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 4736	3176	1ca9c307cc30c9ce41044a83e4395d40_NEIKI.exe	80
PID 3176 wrote to memory of 4736	3176	1ca9c307cc30c9ce41044a83e4395d40_NEIKI.exe	80
PID 3176 wrote to memory of 4736	3176	1ca9c307cc30c9ce41044a83e4395d40_NEIKI.exe	80
PID 4736 wrote to memory of 3496	4736	0DnZK4JvB5GNGWb.exe	84
PID 4736 wrote to memory of 3496	4736	0DnZK4JvB5GNGWb.exe	84
PID 4736 wrote to memory of 3496	4736	0DnZK4JvB5GNGWb.exe	84
PID 3496 wrote to memory of 3140	3496	regsvr32.exe	85
PID 3496 wrote to memory of 3140	3496	regsvr32.exe	85

C:\Users\Admin\AppData\Local\Temp\1ca9c307cc30c9ce41044a83e4395d40_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\1ca9c307cc30c9ce41044a83e4395d40_NEIKI.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Users\Admin\AppData\Local\Temp\7zS4C1C.tmp\0DnZK4JvB5GNGWb.exe
  .\0DnZK4JvB5GNGWb.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\YoutoubEAdBlooccKe\MycB8exRDL3wde.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3496
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\YoutoubEAdBlooccKe\MycB8exRDL3wde.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:3140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS4C1C.tmp\0DnZK4JvB5GNGWb.dat

Filesize
6KB

MD5
6776cadcf9ed5c3ee38a2b2d18109fe3

SHA1
71f391a97a47236aad2b7fcf70e1c063ac0f9d9d

SHA256
f4cc39551af4356e666e252fb20acae1cd2c3069617058a90e61e2f2594df98a

SHA512
5a42a9b5320925c446010ca9ce39ef64a204b8abd86c23f4ede137094ebc88a57d23cb177219b31338b7e53a15848295749c7a475ebc4c88aa5cade10a18e0ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C1C.tmp\0DnZK4JvB5GNGWb.exe

Filesize
622KB

MD5
e6bafde32b2c77cdffaf64e854b36411

SHA1
7483c84b4014ddc44738a94af326b0c36fc7ee20

SHA256
5390cc4000f0d1d6fa105e4e18b6571913360f521cd013dd8e91cc8d93b2f0d0

SHA512
260a8d4dba37846a73d7fba791d93f9abc4f441b2c828d691dc20db1d246e8aaeb99209b1a83294d44d6802aef3a1263c4fcf98fb0c92b0c70282b711930d87b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C1C.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C1C.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
0e0e3cb1bc7ccec8266977a32cece84b

SHA1
6f3c5735ca1f81e9244ab779b8f8e078558b29ff

SHA256
1e6026368c4c8c4c895ba8e0f2b08663d02626638d549dc39fdc0622055e51ab

SHA512
8923fd68323afeb4c96166ce8b3e1f0553ebb53bd352344b1998347de18bb8f0ea3d54acf6091b3edcfb72ebb540ea5cda4dbf53a57bfee1aaaf092a17418a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C1C.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
aeb88f0ac9e7ea15e802e51f2f183192

SHA1
8444acd75f1b15b8d35a19da0097d2a73d2ac029

SHA256
93f904d54ccd4976e625cd4169adeef60edd5775a252a976f1618bf359d53261

SHA512
702d84848c4f8ca5b47b6209fb4e89d8a56415ec9e7fd9959e5f0d3115dce0a3667569f26c7a6f25f9ace5a73a19e4470856260ffc77b2d7586874c1bba72467

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C1C.tmp\[email protected]\install.rdf

Filesize
602B

MD5
0bb43137fe89567546fa1ce3046b6101

SHA1
03bcc5acc95fd64c5830cb10e506f8dbf4f074ad

SHA256
f7397a986bee07481a030220d913bbabd537e46c6f337913cef5c113293cf575

SHA512
1fe35c024c52bd2eb0285e7bcc61558ee52b1deffd2b76ba3235f026b4bf80398562d82f7a0b1fd3fd0fb36d17fa47d461f194ed01e86583bc0d475ced8d3e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C1C.tmp\MycB8exRDL3wde.dll

Filesize
613KB

MD5
c547ac330285a0ea3ab373fbf632e095

SHA1
1c7a20d9bf6104c3c3343f0c4061107441348787

SHA256
8ad6a8d9db588353ff1cb777ac8b7f62b6a8976d2ed396e8816051ffc69c8db0

SHA512
b695eddc8d688d61b55a87d6153084836bb8c699a0e9b2834c77fed923e1ffa6da8871df569310668eff2161eb219eec8193bfcf812d9932f1ae064953d1b9a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C1C.tmp\MycB8exRDL3wde.tlb

Filesize
3KB

MD5
b09701113a6fa6b7ce61cef1f5b3dc70

SHA1
752190cbbd25d899b48f6fc2caa9cedd3baff7df

SHA256
a8a8b11da1822ce3d93baa6d3711969425dd4ccbe05bf348899320659b07e9d1

SHA512
9436a606e8ced02094374e5d603bc4bfb63a079259fa10c1fd82b9a30c40fa64c54b4bc3f7d5c0634dc4584c18e3accadd5df536e37367a7b3ea9f6597eb547a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C1C.tmp\MycB8exRDL3wde.x64.dll

Filesize
693KB

MD5
2be2d271d3ab4d63bb6642af32722936

SHA1
c3eb0dd1d280018ab15a44c65c6b1b23dcef1552

SHA256
ad58666ae0f8f9d875e47a885ac5d89fca0ac1ae65c063fd8e01f1f88acca0e9

SHA512
08106cfa29b4a5f0616451e402c7cc246d7a4c3f333e18da7c73b0c7d94e06845f3c34cea570ab2afd7b3054da0a7c665b2c14a7a02d99a744cefd9c017cac9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C1C.tmp\epbkgkdncdleajcmbijdlancknilnibn\background.html

Filesize
140B

MD5
e9a67ae5b0d64519ea1ec85309e5983c

SHA1
b06c9c45d6d3ee7fc1414f54c90428043f70a1a2

SHA256
7f6b2aeb0529b3f311d6952387e44f844d465e68b540176ebc061e9d32d6e6d4

SHA512
d2e3d5cd0104ae689dbead79dc9dff4ff1c3a7f6661f3e869a50fc62ce143dbe9756db9614f6251588bcb6bcf9fb99d47ab2b6eaff7a21919737d8aff84107fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C1C.tmp\epbkgkdncdleajcmbijdlancknilnibn\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C1C.tmp\epbkgkdncdleajcmbijdlancknilnibn\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C1C.tmp\epbkgkdncdleajcmbijdlancknilnibn\manifest.json

Filesize
510B

MD5
df19a758b21624e6305859fa6dc8e90c

SHA1
2500e73477fca5daac0cfb54c62b9d77b620c4d0

SHA256
66334905900729d44cb033d4b7be995b557d713360bf1a3c898ef3f9ba1c4c22

SHA512
c8d91993651121c91da030abea08827a0db9a778a9c6124217236ff4093a2433aa336efd219667980b949fc21ac49f3d8aa3318ea497fb6662fb8a79af6adfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C1C.tmp\epbkgkdncdleajcmbijdlancknilnibn\qoD.js

Filesize
5KB

MD5
5d1ab46c9ab73755f8ccf09710db7e69

SHA1
bf1dd08dfff00bab9a477d9f1fd05f7e27beb24f

SHA256
c69163386ed325f5ef82b82113953f11f6f1c96254f2c69386559669b890d63c

SHA512
18595039c3d13d359f34f4b75cce2ad7dedf0d07d2e9985ac50ecb50fd4bd69cdb97435164f9658161b774d71153529bf4f5eaf289567f6117bf189b751354df

Download Submit