b10a672cc218783d21833077fc9f57c23d5592ac631e0fd1da192f7d42b850ad

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 04:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
Size

2.7MB
MD5

9cd9002951710e46e1bc42442770b590
SHA1

eec5ab77ed7135d665a1054fa2b06cdc7f95fb2c
SHA256

b10a672cc218783d21833077fc9f57c23d5592ac631e0fd1da192f7d42b850ad
SHA512

5f16b573360799e258794dcb351d6514db9a30e2f2e9cb5fe79066da937c5a38a6dd7523c3f04dd968ac854261c5810f9095f4d88ec44242a770eef98170f787
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB/9w4Sx:+R0pI/IQlUoMPdmpSpb4

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe
2632	xbodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2884	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
2884	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot2G\\xbodec.exe"	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBM3\\boddevec.exe"	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1812	NETSTAT.EXE
1708	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2884	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
2884	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe
2632	xbodec.exe
2884	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe
2632	xbodec.exe
2884	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe
2632	xbodec.exe
2884	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe
2632	xbodec.exe
2884	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe
2632	xbodec.exe
2884	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe
2632	xbodec.exe
2884	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe
2632	xbodec.exe
2884	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe
2632	xbodec.exe
2884	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe
2632	xbodec.exe
2884	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe
2632	xbodec.exe
2884	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe
2632	xbodec.exe
2884	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe
2632	xbodec.exe
2884	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe
2632	xbodec.exe
2884	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe
2632	xbodec.exe
2884	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe
2632	xbodec.exe
2884	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe
2632	xbodec.exe
2884	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe
2632	xbodec.exe
2884	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe
2632	xbodec.exe
2884	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe
2632	xbodec.exe
2884	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe
2632	xbodec.exe
2884	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe
2632	xbodec.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1812	NETSTAT.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2220	2884	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe	28
PID 2884 wrote to memory of 2220	2884	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe	28
PID 2884 wrote to memory of 2220	2884	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe	28
PID 2884 wrote to memory of 2220	2884	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe	28
PID 2884 wrote to memory of 2632	2884	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe	29
PID 2884 wrote to memory of 2632	2884	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe	29
PID 2884 wrote to memory of 2632	2884	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe	29
PID 2884 wrote to memory of 2632	2884	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe	29
PID 2220 wrote to memory of 1844	2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe	33
PID 2220 wrote to memory of 1844	2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe	33
PID 2220 wrote to memory of 1844	2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe	33
PID 2220 wrote to memory of 1844	2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe	33
PID 2220 wrote to memory of 2296	2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe	35
PID 2220 wrote to memory of 2296	2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe	35
PID 2220 wrote to memory of 2296	2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe	35
PID 2220 wrote to memory of 2296	2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe	35
PID 2220 wrote to memory of 1448	2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe	36
PID 2220 wrote to memory of 1448	2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe	36
PID 2220 wrote to memory of 1448	2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe	36
PID 2220 wrote to memory of 1448	2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe	36
PID 1844 wrote to memory of 1708	1844	cmd.exe	39
PID 1844 wrote to memory of 1708	1844	cmd.exe	39
PID 1844 wrote to memory of 1708	1844	cmd.exe	39
PID 1844 wrote to memory of 1708	1844	cmd.exe	39
PID 2296 wrote to memory of 1812	2296	cmd.exe	40
PID 2296 wrote to memory of 1812	2296	cmd.exe	40
PID 2296 wrote to memory of 1812	2296	cmd.exe	40
PID 2296 wrote to memory of 1812	2296	cmd.exe	40
PID 2220 wrote to memory of 2240	2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe	41
PID 2220 wrote to memory of 2240	2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe	41
PID 2220 wrote to memory of 2240	2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe	41
PID 2220 wrote to memory of 2240	2220	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe	41

C:\Users\Admin\AppData\Local\Temp\9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe
  C:\Users\Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig > C:\Users\Admin\ipconfig.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig
      4⤵
      Gathers network information
      PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c netstat -a > C:\Users\Admin\netstat.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -a
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:1812
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c dir C:\*.txt /b /s >> C:\Users\Admin\grubb.list
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c dir C:\*.doc /b /s >> C:\Users\Admin\grubb.list
    3⤵
    PID:2240
- C:\UserDot2G\xbodec.exe
  C:\UserDot2G\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBM3\boddevec.exe

Filesize
2.7MB

MD5
039f742598e346dc5356f8d3d1af59d8

SHA1
0e9509a374b968d7fa4de6a743fd8d55ac4726a5

SHA256
58b64b28e8a159dbe09ea49fbaaed5d167ac1b65deebac073bc0bd5e698146b3

SHA512
7a7c5790b43373c22ddaff8c437c8f9ad61f82bb68145b06d2845db1daeab13cd931ffb55421ec7d6361c30141bed08d56af0f1a94459cffc7d6244ae25afdf0

Download Submit
C:\KaVBM3\boddevec.exe

Filesize
335KB

MD5
dffe9de60d4d9766e910b3a2d19065aa

SHA1
bef74c32719caf9a6f74350b662921c969c50483

SHA256
60a9dccd3741b231706457703d581c23f422efc7ffd6492a5f253b6387207e70

SHA512
b8115b6d7194797709f81a99043f6b8278a506544f9967682104d3bd2de490903f479b3f5fac3cfc2ea6be38ec58642191c97ea8bf5940f08bda59fa1138efc3

Download Submit
C:\UserDot2G\xbodec.exe

Filesize
2.7MB

MD5
bd74cdec4fa2713fc6bca69ba03a9508

SHA1
829e42937ccbcf5cfd331b43de717973c6612e93

SHA256
17e41e95ab3441504812cdc7634467a044749ea8345191bdf06fd2987ca0c926

SHA512
8dc11c4ed984f9309b0187d13b28e8c2bda4e10f29aca6fa3351b87ace777b4f34907c4f638b759dd5ad90a68a0313315bf2f3e1792a945e41f805ff66d0c859

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
a4ec854edc9d2a7e59094eef242f1e3e

SHA1
578da2a617887d8de35ba75aa41b3cffaa7b24be

SHA256
258dc0027971e3db60d2203c50edc113a4e7f2659fc7092cd6514db950b49c9b

SHA512
3fece3b262ef0db116160de28913cca0ed7bbd30512936c92cd86f0017a245675da4ced45b100bf35f9a883966ac9632e6ab5cb225a0e02ed60c7e8dbdc85629

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
de0fc613b90690cbb92f1a45d20e270e

SHA1
53358745a8937dcdb7a255d71fb7a6436e99f430

SHA256
df8d74271e5c7734d6158324672847c98301f9b599ce92b182e3be276ea8d850

SHA512
850b2374aa2f48d1043b3ae57837aed03f81d8c9dba01f68a74d8afe4b2cd8e2fc86553191f8430852bfc99e6e988f3ae5eb735693780399151f66a36ec53b43

Download Submit
C:\Users\Admin\grubb.list

Filesize
262KB

MD5
c557fa3420df0c67568c29b960ae155e

SHA1
b54873c4d0ad88edf2711c3391acc0d95c7752b5

SHA256
aecfa3177f0868b633a3e0585e5da7efaab7efc3440fa03a3323c2f40a7d44d7

SHA512
780365a43329898ca878e18a5369e530f37076e515eb1562693576dcabc230d2cad86cac5b5e95ac4921a79ca311eafd07cf701800c52cac160a54a2edca28e0

Download Submit
\Users\Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecxopti.exe

Filesize
2.7MB

MD5
fcea72e4d288f10fcbe8b89ca6f17db1

SHA1
f51200c43e32bfcad598d771ec6eba276dce94b2

SHA256
e08442edbccad4d778c48587d47b7ffec02198c4da50dfccd1d74cbe91423337

SHA512
4e33ce4122a7a2ac6163c817729fa6765a5df21c316cc6d1aa7e53735a5a7a6d779506b586eea8562b2dc74f1320ab4798bf5f69b11c3206633855930398f253

Download Submit