aa7cfe90baa977104ea18529c06f6a1d381fefbc3534c4ea918f5c28c965c0fc

Analysis

max time kernel
150s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c6e298c9f85823cd0c31f63dc4c4630_NeikiAnalytics.exe
Size

3.9MB
MD5

9c6e298c9f85823cd0c31f63dc4c4630
SHA1

2e068ee65eac9d2847f33079d3250302413c4aac
SHA256

aa7cfe90baa977104ea18529c06f6a1d381fefbc3534c4ea918f5c28c965c0fc
SHA512

f6fdf21c8edd19ce5b21cae578f85b6c262aed952b09ee0b2ea464a300a604c49f7c7dda35cd6db5096dd8062f7b161bf1f5731da47887b9440308b800643cbd
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB9B/bSqz8:sxX7QnxrloE5dpUpibVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	9c6e298c9f85823cd0c31f63dc4c4630_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4656	ecdevbod.exe
2772	xdobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocCE\\xdobloc.exe"	9c6e298c9f85823cd0c31f63dc4c4630_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxKR\\dobaec.exe"	9c6e298c9f85823cd0c31f63dc4c4630_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3592	9c6e298c9f85823cd0c31f63dc4c4630_NeikiAnalytics.exe
3592	9c6e298c9f85823cd0c31f63dc4c4630_NeikiAnalytics.exe
3592	9c6e298c9f85823cd0c31f63dc4c4630_NeikiAnalytics.exe
3592	9c6e298c9f85823cd0c31f63dc4c4630_NeikiAnalytics.exe
4656	ecdevbod.exe
4656	ecdevbod.exe
2772	xdobloc.exe
2772	xdobloc.exe
4656	ecdevbod.exe
4656	ecdevbod.exe
2772	xdobloc.exe
2772	xdobloc.exe
4656	ecdevbod.exe
4656	ecdevbod.exe
2772	xdobloc.exe
2772	xdobloc.exe
4656	ecdevbod.exe
4656	ecdevbod.exe
2772	xdobloc.exe
2772	xdobloc.exe
4656	ecdevbod.exe
4656	ecdevbod.exe
2772	xdobloc.exe
2772	xdobloc.exe
4656	ecdevbod.exe
4656	ecdevbod.exe
2772	xdobloc.exe
2772	xdobloc.exe
4656	ecdevbod.exe
4656	ecdevbod.exe
2772	xdobloc.exe
2772	xdobloc.exe
4656	ecdevbod.exe
4656	ecdevbod.exe
2772	xdobloc.exe
2772	xdobloc.exe
4656	ecdevbod.exe
4656	ecdevbod.exe
2772	xdobloc.exe
2772	xdobloc.exe
4656	ecdevbod.exe
4656	ecdevbod.exe
2772	xdobloc.exe
2772	xdobloc.exe
4656	ecdevbod.exe
4656	ecdevbod.exe
2772	xdobloc.exe
2772	xdobloc.exe
4656	ecdevbod.exe
4656	ecdevbod.exe
2772	xdobloc.exe
2772	xdobloc.exe
4656	ecdevbod.exe
4656	ecdevbod.exe
2772	xdobloc.exe
2772	xdobloc.exe
4656	ecdevbod.exe
4656	ecdevbod.exe
2772	xdobloc.exe
2772	xdobloc.exe
4656	ecdevbod.exe
4656	ecdevbod.exe
2772	xdobloc.exe
2772	xdobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 4656	3592	9c6e298c9f85823cd0c31f63dc4c4630_NeikiAnalytics.exe	88
PID 3592 wrote to memory of 4656	3592	9c6e298c9f85823cd0c31f63dc4c4630_NeikiAnalytics.exe	88
PID 3592 wrote to memory of 4656	3592	9c6e298c9f85823cd0c31f63dc4c4630_NeikiAnalytics.exe	88
PID 3592 wrote to memory of 2772	3592	9c6e298c9f85823cd0c31f63dc4c4630_NeikiAnalytics.exe	89
PID 3592 wrote to memory of 2772	3592	9c6e298c9f85823cd0c31f63dc4c4630_NeikiAnalytics.exe	89
PID 3592 wrote to memory of 2772	3592	9c6e298c9f85823cd0c31f63dc4c4630_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\9c6e298c9f85823cd0c31f63dc4c4630_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9c6e298c9f85823cd0c31f63dc4c4630_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4656
- C:\IntelprocCE\xdobloc.exe
  C:\IntelprocCE\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxKR\dobaec.exe

Filesize
3.9MB

MD5
23a6da783a5762127a74a91d504926bd

SHA1
91f2f861920db9690f2a2195fb7669ff872bbe50

SHA256
63f6e5235a36017c08ad72da3e4708b9ca007ed22eb293afe340779004766e9d

SHA512
c209206a2065a08ea8733ff85693c97a039da7f6f41ad476ec9ab67729f298b3f14d712158132df02e047765031f7ae3d845b8f2377a299789df2c8f8afcf70c

Download Submit
C:\GalaxKR\dobaec.exe

Filesize
2KB

MD5
d0c1cfb1bc751f796263e7f6ddb68f7b

SHA1
e35ef7c594cb6baa90f3b77146b71e296e56c4e9

SHA256
1a6c015cd3f38350b98a4f16e42869a081c8c2b12faf73546f606cb722413f4a

SHA512
cae3f67e99cde353b575ad9336db1f03f0a932d3a54e204190c32c3ac66e11ce387b2173bee5874627fd1c416b95406b774b630d0f3a6fd4b69f5987598a54cf

Download Submit
C:\IntelprocCE\xdobloc.exe

Filesize
1.2MB

MD5
1ee9bd6bce0e2befc74971b5db1fd904

SHA1
dd1cbca36a265c43dcee9d320247b423f1efd9b1

SHA256
54d769b95062d0f7d9084b9d06955bed92f4e60840de371d448ececf50cdd069

SHA512
1252c925f1937526e824e8cbb3b4cfecd1a1791ccdfde4521a14bfaae85c7bed04cbe3d5b090fe6ff43b3fea76a68a3442a4b4025f6af12a5d31e01abfe5d2bb

Download Submit
C:\IntelprocCE\xdobloc.exe

Filesize
3.9MB

MD5
89c3e5195a328e7f39df0a23f68e401e

SHA1
b07b3d6678647768244d591dea593a44b1b5545e

SHA256
837eaf55314b722e7b2e4f25556b439e6494c0e62ed93dace6d68b3fb4923c43

SHA512
57d03382f728ee0aae05a4f29927580c2f498408a8f2a6c054993474886b5553a167c50d7025d74cc6f73eeed26583eff115e5da1ab0aa8c052d86f1b98b307b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
e844045dee6f2fc1c6eb10ad90d1ba81

SHA1
f631bed084f2846022ec1a7a27af071091de5ebe

SHA256
2628ff9c8cd7dc8472a72f41dabe794359fe0e7bd21e5caa9b62f1abd8513dfa

SHA512
6bb136b060a78a31b9978fd510b9adb1b983bdbdee1a818c44a8823e615588ae8d6b58d8d8cdfaf1d96e60b90a0e76ebba8575fa9ff716e2e612095b609cc85f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
df5e7d154d617b93ed90b461366602e5

SHA1
f8d820cdb1d5fefbb406825943e83d91830ec0b6

SHA256
56682106c8654e0df138db5599c2e8a84fe894c1cb1863f457282d14ae48a771

SHA512
176d09eb51fd601c393baa4b2559255cff5f76d92dad05a31841df67f3953d8df2801d8c7dccbb1078bc8cb3b33baf59da53cfdc11bfee0a2fed87e81b6d415e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
3.9MB

MD5
cd8b0d80ba59df7df16a702f7c6bc70d

SHA1
a360d5ccd79543929382eb09b5c95f024864eabd

SHA256
1a410cfb5b2b7a28a89306ff6382c14e4bb42421965bd7bd9b49f3e451f1fd7f

SHA512
94b9a3749a17bba92b4a030bb557e0be169332d2491bc7dae6f7a53669f1c4a697901587a113f35a171f74292bc057ae5c71767754b15a413f1ae3b86d1b6fac

Download Submit