44e0139b75c7d213e5e42c53a2e110f131353222f2addf33b409bfbd6e9703cb

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 04:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6ed69a895aca267b46f779890b7f9190_NeikiAnalytics.exe
Size

3.2MB
MD5

6ed69a895aca267b46f779890b7f9190
SHA1

23c8892f25e79252c41dd547b4be1860cf07489d
SHA256

44e0139b75c7d213e5e42c53a2e110f131353222f2addf33b409bfbd6e9703cb
SHA512

ba60a93d45b87ecd9d8cb51bdb7028f81660223267bfe8c2b6fe58b87a7e1be111ce0216be2d0ee6f82c4a93328e52c1e9bc260d916acfa002d5e7f8963e7cc4
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp1bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	6ed69a895aca267b46f779890b7f9190_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2172	locxdob.exe
2252	abodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2608	6ed69a895aca267b46f779890b7f9190_NeikiAnalytics.exe
2608	6ed69a895aca267b46f779890b7f9190_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvN2\\abodec.exe"	6ed69a895aca267b46f779890b7f9190_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB5L\\optidevsys.exe"	6ed69a895aca267b46f779890b7f9190_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2608	6ed69a895aca267b46f779890b7f9190_NeikiAnalytics.exe
2608	6ed69a895aca267b46f779890b7f9190_NeikiAnalytics.exe
2172	locxdob.exe
2252	abodec.exe
2172	locxdob.exe
2252	abodec.exe
2172	locxdob.exe
2252	abodec.exe
2172	locxdob.exe
2252	abodec.exe
2172	locxdob.exe
2252	abodec.exe
2172	locxdob.exe
2252	abodec.exe
2172	locxdob.exe
2252	abodec.exe
2172	locxdob.exe
2252	abodec.exe
2172	locxdob.exe
2252	abodec.exe
2172	locxdob.exe
2252	abodec.exe
2172	locxdob.exe
2252	abodec.exe
2172	locxdob.exe
2252	abodec.exe
2172	locxdob.exe
2252	abodec.exe
2172	locxdob.exe
2252	abodec.exe
2172	locxdob.exe
2252	abodec.exe
2172	locxdob.exe
2252	abodec.exe
2172	locxdob.exe
2252	abodec.exe
2172	locxdob.exe
2252	abodec.exe
2172	locxdob.exe
2252	abodec.exe
2172	locxdob.exe
2252	abodec.exe
2172	locxdob.exe
2252	abodec.exe
2172	locxdob.exe
2252	abodec.exe
2172	locxdob.exe
2252	abodec.exe
2172	locxdob.exe
2252	abodec.exe
2172	locxdob.exe
2252	abodec.exe
2172	locxdob.exe
2252	abodec.exe
2172	locxdob.exe
2252	abodec.exe
2172	locxdob.exe
2252	abodec.exe
2172	locxdob.exe
2252	abodec.exe
2172	locxdob.exe
2252	abodec.exe
2172	locxdob.exe
2252	abodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 2172	2608	6ed69a895aca267b46f779890b7f9190_NeikiAnalytics.exe	28
PID 2608 wrote to memory of 2172	2608	6ed69a895aca267b46f779890b7f9190_NeikiAnalytics.exe	28
PID 2608 wrote to memory of 2172	2608	6ed69a895aca267b46f779890b7f9190_NeikiAnalytics.exe	28
PID 2608 wrote to memory of 2172	2608	6ed69a895aca267b46f779890b7f9190_NeikiAnalytics.exe	28
PID 2608 wrote to memory of 2252	2608	6ed69a895aca267b46f779890b7f9190_NeikiAnalytics.exe	29
PID 2608 wrote to memory of 2252	2608	6ed69a895aca267b46f779890b7f9190_NeikiAnalytics.exe	29
PID 2608 wrote to memory of 2252	2608	6ed69a895aca267b46f779890b7f9190_NeikiAnalytics.exe	29
PID 2608 wrote to memory of 2252	2608	6ed69a895aca267b46f779890b7f9190_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\6ed69a895aca267b46f779890b7f9190_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6ed69a895aca267b46f779890b7f9190_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2172
- C:\SysDrvN2\abodec.exe
  C:\SysDrvN2\abodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVB5L\optidevsys.exe

Filesize
3.2MB

MD5
f625a0cb11a8bd5c44519d1076418daf

SHA1
5537c4f255af04ed5206dc0cc29fa06819af50b4

SHA256
18a30d81a307691b6b582dc6c618fbd34080a37d8b9db9767d587a1c5e56d607

SHA512
1f1d25ef93ab5f536d1a9bb5558b785c2963901e39644ab9ab2f113920b5fc2b31dcbe6179e65a2f1035163cb996cbf0bfc172cef2e0e2bc9ab8b868ee8b2ae1

Download Submit
C:\KaVB5L\optidevsys.exe

Filesize
3.2MB

MD5
4fd16bed66c149a7a4a8b90dfa5900a0

SHA1
b27920de009dc3cc44ef69079767ba9764fd4edf

SHA256
5239dc51a091f5b810629e257ed9d65bf4092ec0d1c6f7dc0ac8091f11f02922

SHA512
0a64053680f272069757daf12d58778cc22646f04b549910a2c6a08db3547472078d8984f849fb1c40d7fbb4dad95a189d67ce8a529e9a95c7cb283ebfeed6a5

Download Submit
C:\SysDrvN2\abodec.exe

Filesize
3.2MB

MD5
cb4dece3e6f9c511e2fafb47df41af5e

SHA1
8fd5db758a32355e95853c1cdee2035c05ae6bf7

SHA256
b6cb1187d8c26d4737f9770df23399cda0192609d23f0a911d7bddaf70d26b3b

SHA512
415c27105d0ca27c6ee54856676789cac71f0dc6915cdafb120347ce61635a9c0f18833f867bab82836128c0630d3716c0658a467523b7a4cea1d712fe37ccbb

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
a7d7b307bebc04614958c9174576246d

SHA1
933a75f92ba505e1d7cd2cd24bf73205c0cdb155

SHA256
c3226cbaf0d8d9ca57701e5716163ad7378955172217213c8445f5eedc10337e

SHA512
bd5f870869b1663afdcef8a59401a000bd301cc37e52c5c57c4e2740b67f81c37fe3f9160b2c9b0cdfadb76254e401f7d9cc2d9b114d662f4f8c5b5875261737

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
b836e05076e1f6e77249ac241368538a

SHA1
dd17e43447e6e50a10dfa6150d90539c27792a4a

SHA256
c1566462e6197c8e5bb53ac8e5a9797d63eb3c5b9336dd23355619522a0dfb40

SHA512
bea2c164f17bece77ccc84be1914614ecf8b51ffd00ac1cc7946d67ee3b5cd1d2f8ab3d72902bd845ddcfdd2c8d445da91d90de9790439a80385ecec66ed4475

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
3.2MB

MD5
9ef09d2b7ab486fa756898f45d78dcc1

SHA1
c618b3e1aeda92ff370fcef824b535034bb32b5e

SHA256
24f7a3f03e8e9b16a14e56ed46c4912e35dbc498d68b85df7a51a6b205b61440

SHA512
1f68324d8fc0fe084c2c59065641e6507f43698c42d41f520205cabbf2b7b64ec02799c75bffaa41f7477587180bf12df3814b465605814f41b8e1565ee3b0b4

Download Submit