7b6428e3ce81a8cee71671e15460e4c81cf1de25ca169e783a0e64e4d98b4542

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19/05/2024, 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1997c881825c86264ed07533988451e0_NeikiAnalytics.exe
Size

3.9MB
MD5

1997c881825c86264ed07533988451e0
SHA1

0431748a6566be7050093656d089b52bcc1fe29e
SHA256

7b6428e3ce81a8cee71671e15460e4c81cf1de25ca169e783a0e64e4d98b4542
SHA512

3a7869eec06be58b601aee81747e8d9b95fe6f1e8c8163b53aa76c0190d5ff3c6f734a86ebd613ee63c15303483320509534ec1b3c5807d84c5a2d8387349dc6
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqz8:sxX7QnxrloE5dpUpLbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe	1997c881825c86264ed07533988451e0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
320	locdevbod.exe
1260	devbodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvKR\\devbodsys.exe"	1997c881825c86264ed07533988451e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB1V\\dobxec.exe"	1997c881825c86264ed07533988451e0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5100	1997c881825c86264ed07533988451e0_NeikiAnalytics.exe
5100	1997c881825c86264ed07533988451e0_NeikiAnalytics.exe
5100	1997c881825c86264ed07533988451e0_NeikiAnalytics.exe
5100	1997c881825c86264ed07533988451e0_NeikiAnalytics.exe
320	locdevbod.exe
320	locdevbod.exe
1260	devbodsys.exe
1260	devbodsys.exe
320	locdevbod.exe
320	locdevbod.exe
1260	devbodsys.exe
1260	devbodsys.exe
320	locdevbod.exe
320	locdevbod.exe
1260	devbodsys.exe
1260	devbodsys.exe
320	locdevbod.exe
320	locdevbod.exe
1260	devbodsys.exe
1260	devbodsys.exe
320	locdevbod.exe
320	locdevbod.exe
1260	devbodsys.exe
1260	devbodsys.exe
320	locdevbod.exe
320	locdevbod.exe
1260	devbodsys.exe
1260	devbodsys.exe
320	locdevbod.exe
320	locdevbod.exe
1260	devbodsys.exe
1260	devbodsys.exe
320	locdevbod.exe
320	locdevbod.exe
1260	devbodsys.exe
1260	devbodsys.exe
320	locdevbod.exe
320	locdevbod.exe
1260	devbodsys.exe
1260	devbodsys.exe
320	locdevbod.exe
320	locdevbod.exe
1260	devbodsys.exe
1260	devbodsys.exe
320	locdevbod.exe
320	locdevbod.exe
1260	devbodsys.exe
1260	devbodsys.exe
320	locdevbod.exe
320	locdevbod.exe
1260	devbodsys.exe
1260	devbodsys.exe
320	locdevbod.exe
320	locdevbod.exe
1260	devbodsys.exe
1260	devbodsys.exe
320	locdevbod.exe
320	locdevbod.exe
1260	devbodsys.exe
1260	devbodsys.exe
320	locdevbod.exe
320	locdevbod.exe
1260	devbodsys.exe
1260	devbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 320	5100	1997c881825c86264ed07533988451e0_NeikiAnalytics.exe	86
PID 5100 wrote to memory of 320	5100	1997c881825c86264ed07533988451e0_NeikiAnalytics.exe	86
PID 5100 wrote to memory of 320	5100	1997c881825c86264ed07533988451e0_NeikiAnalytics.exe	86
PID 5100 wrote to memory of 1260	5100	1997c881825c86264ed07533988451e0_NeikiAnalytics.exe	89
PID 5100 wrote to memory of 1260	5100	1997c881825c86264ed07533988451e0_NeikiAnalytics.exe	89
PID 5100 wrote to memory of 1260	5100	1997c881825c86264ed07533988451e0_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\1997c881825c86264ed07533988451e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1997c881825c86264ed07533988451e0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:320
- C:\SysDrvKR\devbodsys.exe
  C:\SysDrvKR\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVB1V\dobxec.exe

Filesize
235KB

MD5
3c8daeed46de984068f9289ad11b3799

SHA1
96c9c808883acb5fde8c8098b0bca2cd2cade89d

SHA256
2e2607c40536e09e9aee0033698ab7600e384af13e3cdd9c359200efc7206c0f

SHA512
ebffeb6cfe516efc579abcd514bc2ad9f71b995687d9885b21067d847f0f31a1276349c40fca4e042121a53eac04fa94df0315d3af615620223c6c1f2f6f2cb1

Download Submit
C:\KaVB1V\dobxec.exe

Filesize
3.9MB

MD5
acf81680624edb0498de6a8e2b62ffe8

SHA1
c844a560de00e9c35be4bd10ec597dd455f16680

SHA256
8a96b452360da53b53c640df3f77a81d3d0f9ec950f4a3db6dd8504aaaa15605

SHA512
430a0614ff3f308bbc1f791b571d689f82711e75905f49e2d6a475371befb592aa381c67764b49aa6535199026e810a974781ac25ed82610e0f6167fdc898a32

Download Submit
C:\SysDrvKR\devbodsys.exe

Filesize
3.9MB

MD5
526ed7111967fcff9f3fc8c6ec963654

SHA1
8e40b6464fdb28aaae27c736ba60f9f96589b5c7

SHA256
afa530cfbff368a9dc20028cf9ec2d595761d0cb2b155c401bccc4e6417a5358

SHA512
e4c011a64cbfe8f5d05ae5ae9b6c10fb7335ffebc5b6b68d3b1366858bf0da0e303c8802d1ee7aa39dde724a85a56c301afc29c39d7b534065ac8a139da01328

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
702d21b16a67c695805d01c5b7a195d4

SHA1
196c02d38303409bcdb945e7a54e9742a092c53b

SHA256
851c197c194f074fd608174b29823a5f5bbcbdb9706235d17191b1d58d6d490e

SHA512
8414c989b2b8e6dce462acc7fe302a73803868d3cefe0915352129ee33bfdf0054a0b9b832146503dc894dedd18a26a244fed17b63425673f3cf9e120342920f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
b7519cf0ac56015dc9c1ae18bb40f892

SHA1
dea8696ee41c16cd8a8bfa6ce8ab46ffbf6ee651

SHA256
0005a8acfc16701da79eeb99ff52ad2547546e86a4f4136702a4dca90ab97978

SHA512
dfb83875ed59fa1aa14b60f68349a9ffca5dc431e55cbd61edb0ae594c5d137f2658fac6702051dec70a38b84dec380254de5cfb67266daec7c1fb6fc7529bc3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

Filesize
3.9MB

MD5
94b572355c266730f48edf31af279bca

SHA1
62a3d84586fff3e03e14856005fd55d173f12e4a

SHA256
76fdf436c3463496ad6a9a1cc437bffe19a83338c564874e5e2ef5f98ba83d60

SHA512
725cf0a1082fc72404b87351d6510f54f9abd7a9a14deaffa5da126b0277be7d930f779e574f6051609960537be241ea990fb9ac9821879edf64d1f9f361c702

Download Submit