14be9451a477c33cdeac106d735da86feaf904c617ce40842a30091d49418d9b

Analysis

max time kernel
150s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 00:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

669d762d3763a6e011f740fa139e70a0_NeikiAnalytics.exe
Size

4.0MB
MD5

669d762d3763a6e011f740fa139e70a0
SHA1

55895bcca197f71dae446ed70ef14fafe1e55e4f
SHA256

14be9451a477c33cdeac106d735da86feaf904c617ce40842a30091d49418d9b
SHA512

333f283f61c3737969a49d98242888b96cfbcddca9d812fa25a38d51e8fba288ae3292e03036c8cb40ed5f42d3c2421cb9896ed98f8fb46a331f537dd61cebf2
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpmbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	669d762d3763a6e011f740fa139e70a0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4904	ecxdob.exe
5016	devbodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotZ0\\devbodec.exe"	669d762d3763a6e011f740fa139e70a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxEN\\dobxloc.exe"	669d762d3763a6e011f740fa139e70a0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
976	669d762d3763a6e011f740fa139e70a0_NeikiAnalytics.exe
976	669d762d3763a6e011f740fa139e70a0_NeikiAnalytics.exe
976	669d762d3763a6e011f740fa139e70a0_NeikiAnalytics.exe
976	669d762d3763a6e011f740fa139e70a0_NeikiAnalytics.exe
4904	ecxdob.exe
4904	ecxdob.exe
5016	devbodec.exe
5016	devbodec.exe
4904	ecxdob.exe
4904	ecxdob.exe
5016	devbodec.exe
5016	devbodec.exe
4904	ecxdob.exe
4904	ecxdob.exe
5016	devbodec.exe
5016	devbodec.exe
4904	ecxdob.exe
4904	ecxdob.exe
5016	devbodec.exe
5016	devbodec.exe
4904	ecxdob.exe
4904	ecxdob.exe
5016	devbodec.exe
5016	devbodec.exe
4904	ecxdob.exe
4904	ecxdob.exe
5016	devbodec.exe
5016	devbodec.exe
4904	ecxdob.exe
4904	ecxdob.exe
5016	devbodec.exe
5016	devbodec.exe
4904	ecxdob.exe
4904	ecxdob.exe
5016	devbodec.exe
5016	devbodec.exe
4904	ecxdob.exe
4904	ecxdob.exe
5016	devbodec.exe
5016	devbodec.exe
4904	ecxdob.exe
4904	ecxdob.exe
5016	devbodec.exe
5016	devbodec.exe
4904	ecxdob.exe
4904	ecxdob.exe
5016	devbodec.exe
5016	devbodec.exe
4904	ecxdob.exe
4904	ecxdob.exe
5016	devbodec.exe
5016	devbodec.exe
4904	ecxdob.exe
4904	ecxdob.exe
5016	devbodec.exe
5016	devbodec.exe
4904	ecxdob.exe
4904	ecxdob.exe
5016	devbodec.exe
5016	devbodec.exe
4904	ecxdob.exe
4904	ecxdob.exe
5016	devbodec.exe
5016	devbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 4904	976	669d762d3763a6e011f740fa139e70a0_NeikiAnalytics.exe	88
PID 976 wrote to memory of 4904	976	669d762d3763a6e011f740fa139e70a0_NeikiAnalytics.exe	88
PID 976 wrote to memory of 4904	976	669d762d3763a6e011f740fa139e70a0_NeikiAnalytics.exe	88
PID 976 wrote to memory of 5016	976	669d762d3763a6e011f740fa139e70a0_NeikiAnalytics.exe	89
PID 976 wrote to memory of 5016	976	669d762d3763a6e011f740fa139e70a0_NeikiAnalytics.exe	89
PID 976 wrote to memory of 5016	976	669d762d3763a6e011f740fa139e70a0_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\669d762d3763a6e011f740fa139e70a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\669d762d3763a6e011f740fa139e70a0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:976
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4904
- C:\UserDotZ0\devbodec.exe
  C:\UserDotZ0\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxEN\dobxloc.exe

Filesize
1.7MB

MD5
cdd97b53b5ff1c4c91ddadde33a72d19

SHA1
e874795b48a2225d7a2708576fd4d0606378c736

SHA256
438c7c7dea5c73e6703f67772e6ae3226277177616fe6469e4a85d7a37eb1fde

SHA512
e74bbb0f1a6c70a85e4a19f9210eb0a23ba0e66948a6e4ed7d84876eb2015b382eddbad1ef6992eb2581bd54de559a61e47b322cd032e848d367ac45a3f59cc0

Download Submit
C:\GalaxEN\dobxloc.exe

Filesize
4.0MB

MD5
9b2026bc8fbf552a2246d93a412dce4a

SHA1
bf5bdec43c984893f773792c49b26848f3d96f0b

SHA256
4c1238000d13fe1d3c5b5b0747696bfd5070eefbfc954be3bd3d4aa600db8876

SHA512
bc5d97c70e90e77080ceffa4f39fb0e33d72d803c35ca26c699182f80bbe52f6e170a5b609db51e6782286bde98305bc7307220eb31b10d1a6f19276ce7d16aa

Download Submit
C:\UserDotZ0\devbodec.exe

Filesize
4.0MB

MD5
526b82f9d3dd9241843a05888d530e32

SHA1
3bc1b22fc3d4da3fe498f369175f4ba12aa38834

SHA256
8735bfcd888a842e7e544afb588f66579b6a6a5c5427dce0b3eae241e9222d76

SHA512
bec5ddf27fc4a28f9835466aec8778475b18423f231f07ab2735f3d5676bc8a8f6560ab009d55a27669634f74e9aafb55af3e208c82bf779d3db6a19421cb4c1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
f4bb72a5ca054a52314cc09a45984ca0

SHA1
4a460107d1394a2725ab5d0c930f362e3ac4a5ea

SHA256
2e02b2917d4d834f12c8daf6b6d4c6cb5bf2596775ade1c4e2132398957c9be8

SHA512
69f82a4ea9f7cd0d57742a871b6401c0cea3f6f827dc3089c44e343c6cb67c57dc2e5138a292e0531aed9f22b2518b5a813de9e6c13321044dafc918be1b1b6d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
e5f89182f806c25ab3c4c1d647a0fa13

SHA1
b59f279802046401e86c1d7a827a23c8212b3ea7

SHA256
c5f53c200e5fc19ef4b070476ae57c6f657e6f9287ea9a0aed75fc905d0cf70f

SHA512
d5d4e479dd93ae4196c3168e195b2db175fdc5276d1b7056b11397e4624d6c188e2fc26b6d91aea0f9d7b5fbef3eeb5ab0ed0e2dd99757ae74f134437dabc68c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
4.0MB

MD5
ab41b74f9beaaa1a07a3ff6450fd26cd

SHA1
1dddd5f3a13b022472ce0ec8419b23142c1e9aff

SHA256
f0262112781054056291404e7cc377cd9e57dcf174770e27ac0d07fbb6605a76

SHA512
c34e0d4b4f3afa839357794cfeb1008c2e12df23cedad584fe902d3135974bc2dc03b9bb8e8336540a8760e92c8ac8d61b37d0140c68a2a81ea0748f1c642c3b

Download Submit