5c0330fc5f693f894d2add3db19f4dc1c8a8d761013a1934e2c2a6e8dca79cbc

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14/05/2024, 15:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ccd51f6b22950feb1986a4cdb5a80430_NeikiAnalytics.exe
Size

3.2MB
MD5

ccd51f6b22950feb1986a4cdb5a80430
SHA1

820c9c315fc8c15c2690f757f85586ed17db15ad
SHA256

5c0330fc5f693f894d2add3db19f4dc1c8a8d761013a1934e2c2a6e8dca79cbc
SHA512

e8600133ecaf0a11ada0713031d4f9bd2075574034209e32292a1ad20dc77e37fcccd1077989e937b87cae924e3a1b74840e16f3f11ea860e66b82e402d77bfc
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpcbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	ccd51f6b22950feb1986a4cdb5a80430_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2916	locdevdob.exe
1412	abodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2100	ccd51f6b22950feb1986a4cdb5a80430_NeikiAnalytics.exe
2100	ccd51f6b22950feb1986a4cdb5a80430_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc4L\\abodloc.exe"	ccd51f6b22950feb1986a4cdb5a80430_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid2Q\\optidevsys.exe"	ccd51f6b22950feb1986a4cdb5a80430_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2100	ccd51f6b22950feb1986a4cdb5a80430_NeikiAnalytics.exe
2100	ccd51f6b22950feb1986a4cdb5a80430_NeikiAnalytics.exe
2916	locdevdob.exe
1412	abodloc.exe
2916	locdevdob.exe
1412	abodloc.exe
2916	locdevdob.exe
1412	abodloc.exe
2916	locdevdob.exe
1412	abodloc.exe
2916	locdevdob.exe
1412	abodloc.exe
2916	locdevdob.exe
1412	abodloc.exe
2916	locdevdob.exe
1412	abodloc.exe
2916	locdevdob.exe
1412	abodloc.exe
2916	locdevdob.exe
1412	abodloc.exe
2916	locdevdob.exe
1412	abodloc.exe
2916	locdevdob.exe
1412	abodloc.exe
2916	locdevdob.exe
1412	abodloc.exe
2916	locdevdob.exe
1412	abodloc.exe
2916	locdevdob.exe
1412	abodloc.exe
2916	locdevdob.exe
1412	abodloc.exe
2916	locdevdob.exe
1412	abodloc.exe
2916	locdevdob.exe
1412	abodloc.exe
2916	locdevdob.exe
1412	abodloc.exe
2916	locdevdob.exe
1412	abodloc.exe
2916	locdevdob.exe
1412	abodloc.exe
2916	locdevdob.exe
1412	abodloc.exe
2916	locdevdob.exe
1412	abodloc.exe
2916	locdevdob.exe
1412	abodloc.exe
2916	locdevdob.exe
1412	abodloc.exe
2916	locdevdob.exe
1412	abodloc.exe
2916	locdevdob.exe
1412	abodloc.exe
2916	locdevdob.exe
1412	abodloc.exe
2916	locdevdob.exe
1412	abodloc.exe
2916	locdevdob.exe
1412	abodloc.exe
2916	locdevdob.exe
1412	abodloc.exe
2916	locdevdob.exe
1412	abodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2916	2100	ccd51f6b22950feb1986a4cdb5a80430_NeikiAnalytics.exe	28
PID 2100 wrote to memory of 2916	2100	ccd51f6b22950feb1986a4cdb5a80430_NeikiAnalytics.exe	28
PID 2100 wrote to memory of 2916	2100	ccd51f6b22950feb1986a4cdb5a80430_NeikiAnalytics.exe	28
PID 2100 wrote to memory of 2916	2100	ccd51f6b22950feb1986a4cdb5a80430_NeikiAnalytics.exe	28
PID 2100 wrote to memory of 1412	2100	ccd51f6b22950feb1986a4cdb5a80430_NeikiAnalytics.exe	29
PID 2100 wrote to memory of 1412	2100	ccd51f6b22950feb1986a4cdb5a80430_NeikiAnalytics.exe	29
PID 2100 wrote to memory of 1412	2100	ccd51f6b22950feb1986a4cdb5a80430_NeikiAnalytics.exe	29
PID 2100 wrote to memory of 1412	2100	ccd51f6b22950feb1986a4cdb5a80430_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\ccd51f6b22950feb1986a4cdb5a80430_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ccd51f6b22950feb1986a4cdb5a80430_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2916
- C:\Intelproc4L\abodloc.exe
  C:\Intelproc4L\abodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc4L\abodloc.exe

Filesize
3.2MB

MD5
1b53a6dc6c7d39d4f2caa3b7808b3e53

SHA1
312a89e88e2e80bea9b9f40b970d8c250efa6bee

SHA256
c0c5334e62279fa0245256fca063f50893b0783f9d4340a9741fe9700f9d42bf

SHA512
ed58f2fee790282f4748a82e46ff2d61dd0f628ca98b7eef69c589c47a0e70a467e3dc5e9b98ee69facfacc980c47542c860ecb75fb021a5ae99317428976ac1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
176B

MD5
11b3c1dc56e294e1d5738e95b43fee47

SHA1
28e96fc7d315e4ddfb9ea6993836dd6a34f5351e

SHA256
cff2fdfaa53f7c6e27266c7ae094b771610b45623d8a6f1206101b5e1a6570eb

SHA512
7dff1953762e61030f979c5ddf845950aa10839ec03668879f3f8be29f6f49172c483a5f43535ca3d01fd0eba48ea3f99b6d43dab322c43533a97f44fecd0945

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
b6392cb2c6844f40fcb94a37939f6688

SHA1
562cf00002891277dcdbaec7cae78df3b74f01d2

SHA256
8e789105565e29d9cf0000c7b2819793346b3cebc852f6c007fd3d2d7c4878e0

SHA512
e050c394310dbcf88e72053f439e2566006836b3b573154e63a6fd0b0abcd3716ad5610577db4d830d1f93ee7cb51acc1d45edaaa3a51ad89b60bf54874109b4

Download Submit
C:\Vid2Q\optidevsys.exe

Filesize
3.1MB

MD5
2ade307e9a8dd269742c11b1b3584f9e

SHA1
c4c0a77872d42767bb7ad6c6b0c99b5829e52811

SHA256
1b5575c3a852069d5d287d95b502690d1a8e34eafd2274553f0679e0c0eff7a2

SHA512
965c2e4b623bbc4dc1bd4c2719f824b223225ada0e840b070b662e826d3b86f25a2e6599c1f174907719e2645b858dda2436584ed63284202f326b19f79ef234

Download Submit
C:\Vid2Q\optidevsys.exe

Filesize
3.2MB

MD5
c484693f88065897004845c038e01974

SHA1
cdf9a48d3527db3fc4e0ee1d472df44eccd2016e

SHA256
cc74b9eb09f80431547fc42b48e298edae29e8f3adb71839939c7edbf8bfd2c1

SHA512
7a1d75a8f7d8177eb222344b40dd09f24c1e7327dc6cbc5f5bfa2288c66235537c0a2dac83b00f415457ed4dc6d5d8cc3b8b0511ae527ab0427735192b5fcc25

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
3.2MB

MD5
5944c08bd0a77009c49e1c33539a6dc4

SHA1
1f3f9982657dfa5c0c8ca82c040b0f40d4b73534

SHA256
76228336f101dcd755def88e620b8841578869fb24979070aa9d11a252071e32

SHA512
65dece648a6c680f729db7e26d67c666a5e02a6f48c8ce9c07783b0b3fd82f3fc9def414aca81c312aecf6ef88f10001d6efdd0e8d30475e9900b16126e6995e

Download Submit