5626678c16436544de0a3956b8c1395a4540ae2a990cb08aa6cd74723f7131bc

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 22:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

14db6e54a1f612a53178176873f85620_NeikiAnalytics.exe
Size

3.6MB
MD5

14db6e54a1f612a53178176873f85620
SHA1

2952db875de4e0f0131c032d0eff86ac50a19e1c
SHA256

5626678c16436544de0a3956b8c1395a4540ae2a990cb08aa6cd74723f7131bc
SHA512

3645ffcd167afe44b239307f80cf565355a527a2b9ae15520d9238ca49e91c08d6eb217d0e09d31dde3a91099641e90efd1cbfa8383c02ec1caf5d8edb37bded
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB4B/bSqz8:sxX7QnxrloE5dpUp/bVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	14db6e54a1f612a53178176873f85620_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1992	sysxdob.exe
2984	xbodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1424	14db6e54a1f612a53178176873f85620_NeikiAnalytics.exe
1424	14db6e54a1f612a53178176873f85620_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc1W\\xbodloc.exe"	14db6e54a1f612a53178176873f85620_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidZX\\bodasys.exe"	14db6e54a1f612a53178176873f85620_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1424	14db6e54a1f612a53178176873f85620_NeikiAnalytics.exe
1424	14db6e54a1f612a53178176873f85620_NeikiAnalytics.exe
1992	sysxdob.exe
2984	xbodloc.exe
1992	sysxdob.exe
2984	xbodloc.exe
1992	sysxdob.exe
2984	xbodloc.exe
1992	sysxdob.exe
2984	xbodloc.exe
1992	sysxdob.exe
2984	xbodloc.exe
1992	sysxdob.exe
2984	xbodloc.exe
1992	sysxdob.exe
2984	xbodloc.exe
1992	sysxdob.exe
2984	xbodloc.exe
1992	sysxdob.exe
2984	xbodloc.exe
1992	sysxdob.exe
2984	xbodloc.exe
1992	sysxdob.exe
2984	xbodloc.exe
1992	sysxdob.exe
2984	xbodloc.exe
1992	sysxdob.exe
2984	xbodloc.exe
1992	sysxdob.exe
2984	xbodloc.exe
1992	sysxdob.exe
2984	xbodloc.exe
1992	sysxdob.exe
2984	xbodloc.exe
1992	sysxdob.exe
2984	xbodloc.exe
1992	sysxdob.exe
2984	xbodloc.exe
1992	sysxdob.exe
2984	xbodloc.exe
1992	sysxdob.exe
2984	xbodloc.exe
1992	sysxdob.exe
2984	xbodloc.exe
1992	sysxdob.exe
2984	xbodloc.exe
1992	sysxdob.exe
2984	xbodloc.exe
1992	sysxdob.exe
2984	xbodloc.exe
1992	sysxdob.exe
2984	xbodloc.exe
1992	sysxdob.exe
2984	xbodloc.exe
1992	sysxdob.exe
2984	xbodloc.exe
1992	sysxdob.exe
2984	xbodloc.exe
1992	sysxdob.exe
2984	xbodloc.exe
1992	sysxdob.exe
2984	xbodloc.exe
1992	sysxdob.exe
2984	xbodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 1992	1424	14db6e54a1f612a53178176873f85620_NeikiAnalytics.exe	28
PID 1424 wrote to memory of 1992	1424	14db6e54a1f612a53178176873f85620_NeikiAnalytics.exe	28
PID 1424 wrote to memory of 1992	1424	14db6e54a1f612a53178176873f85620_NeikiAnalytics.exe	28
PID 1424 wrote to memory of 1992	1424	14db6e54a1f612a53178176873f85620_NeikiAnalytics.exe	28
PID 1424 wrote to memory of 2984	1424	14db6e54a1f612a53178176873f85620_NeikiAnalytics.exe	29
PID 1424 wrote to memory of 2984	1424	14db6e54a1f612a53178176873f85620_NeikiAnalytics.exe	29
PID 1424 wrote to memory of 2984	1424	14db6e54a1f612a53178176873f85620_NeikiAnalytics.exe	29
PID 1424 wrote to memory of 2984	1424	14db6e54a1f612a53178176873f85620_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\14db6e54a1f612a53178176873f85620_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\14db6e54a1f612a53178176873f85620_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1992
- C:\Intelproc1W\xbodloc.exe
  C:\Intelproc1W\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc1W\xbodloc.exe

Filesize
3.6MB

MD5
79c4e4944a3747b57aed1f7f1f889af8

SHA1
b5294893eb3c217d5d7c32c6692683df0ff3ce9c

SHA256
15041bcc1ef435c05c86f368d9501d627133214a43f13d7c632427cec7eb5479

SHA512
6259e2d3d5d733b9d83f02aca835f305eaef92d5f36dd6cbf51acaccd4615de99a94fe6c4aac36611e57b89fc57f3d1d781c8ffae4f602e01845f027bec825af

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
9dfba687a81483020fba895100d01585

SHA1
f6be6ae08b6a7c064525f02d92348caa35666733

SHA256
14d57cf46b28fb5db29b7ca7a7ff3b92d17d14a03f1900afed42843d9a093381

SHA512
759ada1a880cc65fafe463c8a7ff26415a8cf6941f260b422a92d4fe061ab52f9051a87af2e4b79c3fd3878ef97945cefbcdc0f5ed4ee302571929f7ee829231

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
648fa3056845f7061708769a73876a68

SHA1
5d566c7ec326a66121d8163964d3c51aab9d5c83

SHA256
6debedb2423bf0e07b5b6ee2fe71a01932e18f2faa3b71930ef77005dd992dc3

SHA512
692baebfa73a78eadd52dc899c3ec868b57ecf9245fec503dd0e5a5a7c5bc7738026eeec0d58dc5e65d510b8fc78d859d41ba6046c67d8eb2355c62c8d0080fa

Download Submit
C:\VidZX\bodasys.exe

Filesize
3.6MB

MD5
a505a22683132680d4c14e6bce781b77

SHA1
ea671cab7fd22371f828b5462d6d9a9945d6ec71

SHA256
540465fac3d4bdb4d4fcda661b6b011d33b0d9d48a8eb58ad77ef1236edc9b3e

SHA512
d05cd1def8a8750fecd9d15fe3d3d25ce349c6a336829779415d2fe9c5d3178232c2a5780a19d3a7bb1e1cff3a0d3407e7c45242e82adc86b375e84f13a32ff3

Download Submit
C:\VidZX\bodasys.exe

Filesize
3.6MB

MD5
de375579ee2948fab8a060a1d4371f94

SHA1
1cc6969056e192e7e35aa0e94002f6963cc390fe

SHA256
88437e61d3c0e530ce90c808259b23e5d12831593bc2843681982bd0769d373c

SHA512
aec76e273d8882a3d1e3e86c0583987dc773e2bc0a7eec4366f3e606ccc6f1846da409197594f94e773740af5a6c1d28386293295f30f394b3bdc4dc06245b64

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
3.6MB

MD5
6c7afe80e2ae6d26236acde22a4b1637

SHA1
fd2e81ef8c7de4826973ced234d0d132a2d75392

SHA256
c4e3b1deb6bb5f6508e6146048cb60930c9bf5aa1d44d36e88fff82282018513

SHA512
a43b5327f7e28180a0fbe3a6f76082a30850b9e5cc00e2c11110325f5b7af524ee59f88ef5443fd3ec55f43793236a1aa78d6274194a5d0b4438216dd2d43ec1

Download Submit