7f5c13c8a81b457e64ae5d19b7bba7c8a06bac43ea037a4b175908da5136d7dc

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52765d6a72d16996ebb2ff54c3f8bc50_NeikiAnalytics.exe
Size

4.1MB
MD5

52765d6a72d16996ebb2ff54c3f8bc50
SHA1

45b3804147a5e36d7383182c551a2b1cca5f9d5b
SHA256

7f5c13c8a81b457e64ae5d19b7bba7c8a06bac43ea037a4b175908da5136d7dc
SHA512

50b6424f2bf8ccef4ba3774ec7bd93cb8e3d46bf3adf88834da4f24fe85c2e8c77da2852288b4e7addf04d192bd42e4128e8163cd28ddbc26cac49b5a5e57c3f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LByB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpJbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	52765d6a72d16996ebb2ff54c3f8bc50_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2352	locadob.exe
2236	devbodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2300	52765d6a72d16996ebb2ff54c3f8bc50_NeikiAnalytics.exe
2300	52765d6a72d16996ebb2ff54c3f8bc50_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot83\\devbodec.exe"	52765d6a72d16996ebb2ff54c3f8bc50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB2O\\dobdevloc.exe"	52765d6a72d16996ebb2ff54c3f8bc50_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2300	52765d6a72d16996ebb2ff54c3f8bc50_NeikiAnalytics.exe
2300	52765d6a72d16996ebb2ff54c3f8bc50_NeikiAnalytics.exe
2352	locadob.exe
2236	devbodec.exe
2352	locadob.exe
2236	devbodec.exe
2352	locadob.exe
2236	devbodec.exe
2352	locadob.exe
2236	devbodec.exe
2352	locadob.exe
2236	devbodec.exe
2352	locadob.exe
2236	devbodec.exe
2352	locadob.exe
2236	devbodec.exe
2352	locadob.exe
2236	devbodec.exe
2352	locadob.exe
2236	devbodec.exe
2352	locadob.exe
2236	devbodec.exe
2352	locadob.exe
2236	devbodec.exe
2352	locadob.exe
2236	devbodec.exe
2352	locadob.exe
2236	devbodec.exe
2352	locadob.exe
2236	devbodec.exe
2352	locadob.exe
2236	devbodec.exe
2352	locadob.exe
2236	devbodec.exe
2352	locadob.exe
2236	devbodec.exe
2352	locadob.exe
2236	devbodec.exe
2352	locadob.exe
2236	devbodec.exe
2352	locadob.exe
2236	devbodec.exe
2352	locadob.exe
2236	devbodec.exe
2352	locadob.exe
2236	devbodec.exe
2352	locadob.exe
2236	devbodec.exe
2352	locadob.exe
2236	devbodec.exe
2352	locadob.exe
2236	devbodec.exe
2352	locadob.exe
2236	devbodec.exe
2352	locadob.exe
2236	devbodec.exe
2352	locadob.exe
2236	devbodec.exe
2352	locadob.exe
2236	devbodec.exe
2352	locadob.exe
2236	devbodec.exe
2352	locadob.exe
2236	devbodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2352	2300	52765d6a72d16996ebb2ff54c3f8bc50_NeikiAnalytics.exe	28
PID 2300 wrote to memory of 2352	2300	52765d6a72d16996ebb2ff54c3f8bc50_NeikiAnalytics.exe	28
PID 2300 wrote to memory of 2352	2300	52765d6a72d16996ebb2ff54c3f8bc50_NeikiAnalytics.exe	28
PID 2300 wrote to memory of 2352	2300	52765d6a72d16996ebb2ff54c3f8bc50_NeikiAnalytics.exe	28
PID 2300 wrote to memory of 2236	2300	52765d6a72d16996ebb2ff54c3f8bc50_NeikiAnalytics.exe	29
PID 2300 wrote to memory of 2236	2300	52765d6a72d16996ebb2ff54c3f8bc50_NeikiAnalytics.exe	29
PID 2300 wrote to memory of 2236	2300	52765d6a72d16996ebb2ff54c3f8bc50_NeikiAnalytics.exe	29
PID 2300 wrote to memory of 2236	2300	52765d6a72d16996ebb2ff54c3f8bc50_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\52765d6a72d16996ebb2ff54c3f8bc50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\52765d6a72d16996ebb2ff54c3f8bc50_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2352
- C:\UserDot83\devbodec.exe
  C:\UserDot83\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVB2O\dobdevloc.exe

Filesize
4.1MB

MD5
c05e17a8ed7f46b2d84af1d535b15739

SHA1
395dc5ab1ce545bee20eff42925a316d26324191

SHA256
e05f6b68db3be244185420c82c318bfa8b5de6cad06f99b49d88df44c118ed58

SHA512
77b195c2f07dacbe73eda48dfe45c851ae4e120c4d67f063196b957807915f9f71277604f510e74c7694729df511ece3144b59cc9f2e1313b665376da92a7c8d

Download Submit
C:\KaVB2O\dobdevloc.exe

Filesize
360KB

MD5
4a3063007a12e9c88a60d1f513838333

SHA1
f1ade646c5ef4a8c997c191bebb6921a002c5742

SHA256
3433c3d105d17d8764fe27accae51f996bc65c2a22d69d3e504935f93747c008

SHA512
91cb240ead42520a812ee59b869d641a6716fe45df24ae13db75b29468c42ea490251ed0e6b03d2e4f1a45c593ce729c5fc2d125db0744cf03fe11169ba0e0a3

Download Submit
C:\UserDot83\devbodec.exe

Filesize
4.1MB

MD5
fbfab371c9c13fab72cf61d38df3a738

SHA1
034be71b3721be509a8fd116c0ec8dae0e166b1e

SHA256
a5df60375ea74dffec568e6ba0c3ee7a879fcdf8dbe5ee26710195bd28dccc08

SHA512
728319b9570cbcbe39bcfc2cd39e77540b74643a22049d02607ad4a109b89cde193376780cddf7d90361c65bfe9df2858a5390b72cf69c81636449b958558273

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
9d3426be473ac0c1107847082e194023

SHA1
be56fb2d608368533028607cdb6398268dffead9

SHA256
4306c33b7da5bbf999852e313443f52fc140f99a203e4b2659e2529e432f6b08

SHA512
ba5d14b1acea2b2bc57d7e940f285c71332d52707bd0b9be8d344153cc27693eb447b851b199fc7040e8138804e92dadba565155cb4305f97a4fc4547dccb742

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
b5330f8437b86a782dfde79e5a9d5f5b

SHA1
0d782ed1025e4a253b2f8d295d9c474a50979311

SHA256
b396c98a913baceaddec83e7cd177904a8a9909ca4016100d9ef30b9f90eb39e

SHA512
aafc75706af9342a858691f551078432d8e20b0ce0a1766505934779d841757867d60acab2063286524dce621e721d63a6baf759fcc9d30c4d6b148d60f5c11c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
4.1MB

MD5
0c8b88edf24095a93555660a07b27136

SHA1
12831a45e0f3e45d95390a82e7b1768724480b76

SHA256
4630313659a3008a916a1962d6fe7d6332b2d317315568ecfbc913ca169a1b9b

SHA512
3f08fd085a372d98df43a0b0b2d6d5671b1e99ffb9c35639cbd9444f952f5fd1983b9dc7c50b149e5d29fa4d4bc8d7245a360d0b08740c4c3bd1a29a0837f787

Download Submit