3d4974c574986754ad68f9f9b524c521bb3117a7d91b585d8aa43a2f805c653e

Analysis

max time kernel
149s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 09:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b3967ea6bfaebd3572026fcd123e90e0_NeikiAnalytics.exe
Size

3.0MB
MD5

b3967ea6bfaebd3572026fcd123e90e0
SHA1

7f2d2543f7a047e14a42494944596c5eae51a270
SHA256

3d4974c574986754ad68f9f9b524c521bb3117a7d91b585d8aa43a2f805c653e
SHA512

60be2281e92ba98f7d4fed5d1c0f40ab350a85cb379d50b4c709f105a989d03b78eaef0eeb71b0fece400be2e89fc82a277b41bf904b5a2236ab80b4d79ffac6
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bSqz8:sxX7QnxrloE5dpUpibVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	b3967ea6bfaebd3572026fcd123e90e0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2424	locadob.exe
1672	abodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc1V\\abodec.exe"	b3967ea6bfaebd3572026fcd123e90e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBLX\\bodaec.exe"	b3967ea6bfaebd3572026fcd123e90e0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4088	b3967ea6bfaebd3572026fcd123e90e0_NeikiAnalytics.exe
4088	b3967ea6bfaebd3572026fcd123e90e0_NeikiAnalytics.exe
4088	b3967ea6bfaebd3572026fcd123e90e0_NeikiAnalytics.exe
4088	b3967ea6bfaebd3572026fcd123e90e0_NeikiAnalytics.exe
2424	locadob.exe
2424	locadob.exe
1672	abodec.exe
1672	abodec.exe
2424	locadob.exe
2424	locadob.exe
1672	abodec.exe
1672	abodec.exe
2424	locadob.exe
2424	locadob.exe
1672	abodec.exe
1672	abodec.exe
2424	locadob.exe
2424	locadob.exe
1672	abodec.exe
1672	abodec.exe
2424	locadob.exe
2424	locadob.exe
1672	abodec.exe
1672	abodec.exe
2424	locadob.exe
2424	locadob.exe
1672	abodec.exe
1672	abodec.exe
2424	locadob.exe
2424	locadob.exe
1672	abodec.exe
1672	abodec.exe
2424	locadob.exe
2424	locadob.exe
1672	abodec.exe
1672	abodec.exe
2424	locadob.exe
2424	locadob.exe
1672	abodec.exe
1672	abodec.exe
2424	locadob.exe
2424	locadob.exe
1672	abodec.exe
1672	abodec.exe
2424	locadob.exe
2424	locadob.exe
1672	abodec.exe
1672	abodec.exe
2424	locadob.exe
2424	locadob.exe
1672	abodec.exe
1672	abodec.exe
2424	locadob.exe
2424	locadob.exe
1672	abodec.exe
1672	abodec.exe
2424	locadob.exe
2424	locadob.exe
1672	abodec.exe
1672	abodec.exe
2424	locadob.exe
2424	locadob.exe
1672	abodec.exe
1672	abodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 2424	4088	b3967ea6bfaebd3572026fcd123e90e0_NeikiAnalytics.exe	95
PID 4088 wrote to memory of 2424	4088	b3967ea6bfaebd3572026fcd123e90e0_NeikiAnalytics.exe	95
PID 4088 wrote to memory of 2424	4088	b3967ea6bfaebd3572026fcd123e90e0_NeikiAnalytics.exe	95
PID 4088 wrote to memory of 1672	4088	b3967ea6bfaebd3572026fcd123e90e0_NeikiAnalytics.exe	96
PID 4088 wrote to memory of 1672	4088	b3967ea6bfaebd3572026fcd123e90e0_NeikiAnalytics.exe	96
PID 4088 wrote to memory of 1672	4088	b3967ea6bfaebd3572026fcd123e90e0_NeikiAnalytics.exe	96

C:\Users\Admin\AppData\Local\Temp\b3967ea6bfaebd3572026fcd123e90e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b3967ea6bfaebd3572026fcd123e90e0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2424
- C:\Intelproc1V\abodec.exe
  C:\Intelproc1V\abodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4320,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=3348 /prefetch:8
1⤵
PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc1V\abodec.exe

Filesize
241KB

MD5
67daa73d8a35b27dac9635d6bd373af9

SHA1
6833523c896c11382fc2f61d4fd044de4c9710ae

SHA256
b85390d9fc2bcbdd3240c6c8fe88a26cc2a5a2399b445a070a199f21b0192adb

SHA512
c8ccf7cd4da3927ca8ea8b9585e63d2aac3b8e3cb5c2f32d03d61a1643d2aecebd700d7df3185d916ac83246f1b6ca0d79aeaf83c64c961bd1090ae23265d9ee

Download Submit
C:\Intelproc1V\abodec.exe

Filesize
3.0MB

MD5
09af8b4c4536d513b074664ad46b5d06

SHA1
fed709cfc5c474a87f70e5cad0d267b48dba1071

SHA256
e105b838268f85d0daed6a8ea28668b3aae31842a39f663ab0b497d3bc66369c

SHA512
b25036449dbbc77af4eab609f46406a52ddd76863518555a4eb7cc42d555a1f801e256268930eca23dd7d55026a6fe8bc7a1485e887da2f1b6f518ac492eab7a

Download Submit
C:\KaVBLX\bodaec.exe

Filesize
410KB

MD5
07ab778b15f9c2d4d05594ae5f5d9c06

SHA1
6fcd59cb15e7badd0ba011538e41febaac18678c

SHA256
225aef43eac29a989a15fde5c3c0a1b250b65502e4a9b8d8f2bca8d6e052dfa7

SHA512
c3e75a97841d93afde43bcf90d4577729e79d7c06958694e16f77ef2d30db42661419fcafc83e9c59d4451c28e6481864555bc9926d4be38a7454d740c3639a6

Download Submit
C:\KaVBLX\bodaec.exe

Filesize
3.0MB

MD5
7eed49864f2cf8909fc944ffb3fa28d4

SHA1
c4b815020502f2d6990fde8afd312d1caad8145f

SHA256
e3f00f91f9f3a9392c10ce65c3ff4557bb6362dec64e2d235185f8c1467e8d01

SHA512
7a3d0fa0f7a553c728cfef702acfc16c7a31fe93cc0d31c85228935b7a8f3a2883be416d853c046df284293483ce9f4cb8e081c85104a1fee71ae0bdb368effb

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
5e2d2437d1c6744b5f7e1976e55ee04f

SHA1
b1bcee3078836134535db10070f3402e28407ad0

SHA256
97f189631bfbdbccb11bdb004e73b45bbd19528474c8105ff84fc07554624039

SHA512
6fbfad0b0c97cf7ee7b56be0e62ba60ccea7d556a7764b75bd35defc21527bfc99a012e3544ded30eb04cde44e24b664024ca2a57ac39932b8d598593595322a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
b6e127e22f279763fe4053166bc67bb5

SHA1
1c8b110c0180da0960aed23ebb87216835756625

SHA256
bacd7b04115d38e31965197f637c88662d257569c6c2e705f72c01740b4cb63b

SHA512
a6b91ff5514e95e0aa2552e3452a689744b1928a2596caa213664b2f3b5707e5c9e19bf87372f0bd7bc7e1a43aaa6b133f4935782fd86191f48457a258075716

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
3.0MB

MD5
5e0d8d5007f9273198cc0b3d597ad2e0

SHA1
8e316cdbaba4c1046020f60dc8ec83244d47bf07

SHA256
022659bb8af53c5031fb0c76493464f2e3dbb949229ad00876cb99f8eb533058

SHA512
f5feadd9f47604e8093f68412af0ad9285ea50667b9ede22e9c1b09c922a8fc773bab4f17cde09dcb5b5015d9967abfce033e4016ca2c538698dbdd8259a7038

Download Submit