10f1c6d91af5d7115b3a4778c641a4473fde255b6d0517b30d09f6d82cfb2eae

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c48f64491a7a7b87bf124877a63ed240_NeikiAnalytics.exe
Size

2.6MB
MD5

c48f64491a7a7b87bf124877a63ed240
SHA1

85aed40db6aaaf296c2be48290ccf135276a3ac5
SHA256

10f1c6d91af5d7115b3a4778c641a4473fde255b6d0517b30d09f6d82cfb2eae
SHA512

eb7f5c4e3f1124dbdade029e9d70f9a100c1d00a7fa29427377df41a574a7ea01dd28a5215e122741062aea60b22edcb80e4312c018a252f39826e2c8616a089
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bS:sxX7QnxrloE5dpUpDb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	c48f64491a7a7b87bf124877a63ed240_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2108	sysabod.exe
1200	devbodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeDV\\devbodec.exe"	c48f64491a7a7b87bf124877a63ed240_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax8D\\bodasys.exe"	c48f64491a7a7b87bf124877a63ed240_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5112	c48f64491a7a7b87bf124877a63ed240_NeikiAnalytics.exe
5112	c48f64491a7a7b87bf124877a63ed240_NeikiAnalytics.exe
5112	c48f64491a7a7b87bf124877a63ed240_NeikiAnalytics.exe
5112	c48f64491a7a7b87bf124877a63ed240_NeikiAnalytics.exe
2108	sysabod.exe
2108	sysabod.exe
1200	devbodec.exe
1200	devbodec.exe
2108	sysabod.exe
2108	sysabod.exe
1200	devbodec.exe
1200	devbodec.exe
2108	sysabod.exe
2108	sysabod.exe
1200	devbodec.exe
1200	devbodec.exe
2108	sysabod.exe
2108	sysabod.exe
1200	devbodec.exe
1200	devbodec.exe
2108	sysabod.exe
2108	sysabod.exe
1200	devbodec.exe
1200	devbodec.exe
2108	sysabod.exe
2108	sysabod.exe
1200	devbodec.exe
1200	devbodec.exe
2108	sysabod.exe
2108	sysabod.exe
1200	devbodec.exe
1200	devbodec.exe
2108	sysabod.exe
2108	sysabod.exe
1200	devbodec.exe
1200	devbodec.exe
2108	sysabod.exe
2108	sysabod.exe
1200	devbodec.exe
1200	devbodec.exe
2108	sysabod.exe
2108	sysabod.exe
1200	devbodec.exe
1200	devbodec.exe
2108	sysabod.exe
2108	sysabod.exe
1200	devbodec.exe
1200	devbodec.exe
2108	sysabod.exe
2108	sysabod.exe
1200	devbodec.exe
1200	devbodec.exe
2108	sysabod.exe
2108	sysabod.exe
1200	devbodec.exe
1200	devbodec.exe
2108	sysabod.exe
2108	sysabod.exe
1200	devbodec.exe
1200	devbodec.exe
2108	sysabod.exe
2108	sysabod.exe
1200	devbodec.exe
1200	devbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 2108	5112	c48f64491a7a7b87bf124877a63ed240_NeikiAnalytics.exe	88
PID 5112 wrote to memory of 2108	5112	c48f64491a7a7b87bf124877a63ed240_NeikiAnalytics.exe	88
PID 5112 wrote to memory of 2108	5112	c48f64491a7a7b87bf124877a63ed240_NeikiAnalytics.exe	88
PID 5112 wrote to memory of 1200	5112	c48f64491a7a7b87bf124877a63ed240_NeikiAnalytics.exe	91
PID 5112 wrote to memory of 1200	5112	c48f64491a7a7b87bf124877a63ed240_NeikiAnalytics.exe	91
PID 5112 wrote to memory of 1200	5112	c48f64491a7a7b87bf124877a63ed240_NeikiAnalytics.exe	91

C:\Users\Admin\AppData\Local\Temp\c48f64491a7a7b87bf124877a63ed240_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c48f64491a7a7b87bf124877a63ed240_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2108
- C:\AdobeDV\devbodec.exe
  C:\AdobeDV\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeDV\devbodec.exe

Filesize
2.6MB

MD5
5d3f3ca82c2086d19e009aec1c706640

SHA1
fd8521d95f395b11a9a8838f5cd5dc26f1ff6d07

SHA256
36dc29a5a12d72b89a0a2ec9d7e9be66a935327da3d29a46df89777d3d848a09

SHA512
c5611bb2eb9cfb160a3a552a495352c9f455b418e5496ff548610868725f519ca51cf5d977c6120f590fd7ef9ed1e5603e81868794ebdda9d4d9a943f14084ff

Download Submit
C:\Galax8D\bodasys.exe

Filesize
941KB

MD5
f160204309030f34c0fa01bbf64dd8e4

SHA1
f6ccb6359cf0ee5dff905c2009a4e4277e20af52

SHA256
809058b73f5ad2dc280123eb5a95e2a710858e852b3fdec6af8025df33993a10

SHA512
6809f545d79b4da7ea604017d4af6d8a7310b9b550632bde160f66e954c3221a6e3dc173c01afd13b9204f8c86e3ebde1c7ad02d2e964b546fd49464e0643f90

Download Submit
C:\Galax8D\bodasys.exe

Filesize
2.6MB

MD5
3774ca50694252adcd3bf9a17bd0e551

SHA1
bb72532cf1a0c400e42e60ce97c440341ea2e8f1

SHA256
01541a8695aab2dfd5408134886cae92c743c6cc16f9babebcfd5e40a51b2228

SHA512
f221e21ee4be935a79ef2a3a829e2ad6634fd635f73cd5c2474545bff508ea719fb7cec64389e1916141e4639fc1793f70cf7942132af415244c3af7a54bbf1a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
647cdd3fe5e54422346a5f5d1fbfaab5

SHA1
a0d45db2ac1327bfcbe04098ae77fdb1ce2e53ed

SHA256
3011a11f9da8a53bcbfb656d97c9df2e6e230ad8e5136be2db4d7bdc522246a6

SHA512
a6a640c19b2e617459bce4d33a84be3e51ad65f2e2d70e3f0a8be3529c0d051f3885f3addf406434893807eb8e03c68f03d4883fa38bd3c9a8151c26cfce3025

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
c4bd0ca1b6b3f72e4bff390d0585add1

SHA1
0115299f9b73402941d5d0e1c6a9ed38bdf35d4f

SHA256
06bfc53c40ab8594c3b8a3cca09fe7118a1811c24aa41688dd38f72dd7a151a9

SHA512
f2cf905abb84a3a178001cc7fe4ce26955efa85cfac2ed99263c3d6e329033f32753868ae78f6d0525b55092d330bba1636c8c52da11edbb6891ebf03b5be54c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
2.6MB

MD5
4085fc854839ef154596c24ff32f1fee

SHA1
bf88bc8e60ec78dc2a7f233370bd4dd41affaec6

SHA256
1e85cb1b93422b3c4ec903f20ae11871f327ab5dac170accf0d3d9cc03b6d2bc

SHA512
4e70660a3218d93c598d7813ee350faa530770cecef455451be59c1796a550c7f218e8c593a3692cb25796ed64820e16517a82751d55058b6f5bdd6e58f496ab

Download Submit