f69f230a17ecc712519d2b1775f97e9339b30afcc57795a8bbc2f22c2f15d9d1

Analysis

max time kernel
150s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19/05/2024, 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31df1c167c9e07e99f085b6bcfe5f5c0_NeikiAnalytics.exe
Size

3.6MB
MD5

31df1c167c9e07e99f085b6bcfe5f5c0
SHA1

16d4c36a2e9881d88bd71e56031e15e676aeb365
SHA256

f69f230a17ecc712519d2b1775f97e9339b30afcc57795a8bbc2f22c2f15d9d1
SHA512

dc6c4c5f42b4e43de28b8fc690371a96342d1fb5aed3ec329d9db033bdafc3b1f9d0acf7bc184c5b8a0d9425bf2cd7669cfb114b4e55c971628f8fdf76dc0bdf
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpfbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	31df1c167c9e07e99f085b6bcfe5f5c0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4592	locdevopti.exe
2568	devbodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesTN\\devbodsys.exe"	31df1c167c9e07e99f085b6bcfe5f5c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintUS\\bodaloc.exe"	31df1c167c9e07e99f085b6bcfe5f5c0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3492	31df1c167c9e07e99f085b6bcfe5f5c0_NeikiAnalytics.exe
3492	31df1c167c9e07e99f085b6bcfe5f5c0_NeikiAnalytics.exe
3492	31df1c167c9e07e99f085b6bcfe5f5c0_NeikiAnalytics.exe
3492	31df1c167c9e07e99f085b6bcfe5f5c0_NeikiAnalytics.exe
4592	locdevopti.exe
4592	locdevopti.exe
2568	devbodsys.exe
2568	devbodsys.exe
4592	locdevopti.exe
4592	locdevopti.exe
2568	devbodsys.exe
2568	devbodsys.exe
4592	locdevopti.exe
4592	locdevopti.exe
2568	devbodsys.exe
2568	devbodsys.exe
4592	locdevopti.exe
4592	locdevopti.exe
2568	devbodsys.exe
2568	devbodsys.exe
4592	locdevopti.exe
4592	locdevopti.exe
2568	devbodsys.exe
2568	devbodsys.exe
4592	locdevopti.exe
4592	locdevopti.exe
2568	devbodsys.exe
2568	devbodsys.exe
4592	locdevopti.exe
4592	locdevopti.exe
2568	devbodsys.exe
2568	devbodsys.exe
4592	locdevopti.exe
4592	locdevopti.exe
2568	devbodsys.exe
2568	devbodsys.exe
4592	locdevopti.exe
4592	locdevopti.exe
2568	devbodsys.exe
2568	devbodsys.exe
4592	locdevopti.exe
4592	locdevopti.exe
2568	devbodsys.exe
2568	devbodsys.exe
4592	locdevopti.exe
4592	locdevopti.exe
2568	devbodsys.exe
2568	devbodsys.exe
4592	locdevopti.exe
4592	locdevopti.exe
2568	devbodsys.exe
2568	devbodsys.exe
4592	locdevopti.exe
4592	locdevopti.exe
2568	devbodsys.exe
2568	devbodsys.exe
4592	locdevopti.exe
4592	locdevopti.exe
2568	devbodsys.exe
2568	devbodsys.exe
4592	locdevopti.exe
4592	locdevopti.exe
2568	devbodsys.exe
2568	devbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 4592	3492	31df1c167c9e07e99f085b6bcfe5f5c0_NeikiAnalytics.exe	85
PID 3492 wrote to memory of 4592	3492	31df1c167c9e07e99f085b6bcfe5f5c0_NeikiAnalytics.exe	85
PID 3492 wrote to memory of 4592	3492	31df1c167c9e07e99f085b6bcfe5f5c0_NeikiAnalytics.exe	85
PID 3492 wrote to memory of 2568	3492	31df1c167c9e07e99f085b6bcfe5f5c0_NeikiAnalytics.exe	86
PID 3492 wrote to memory of 2568	3492	31df1c167c9e07e99f085b6bcfe5f5c0_NeikiAnalytics.exe	86
PID 3492 wrote to memory of 2568	3492	31df1c167c9e07e99f085b6bcfe5f5c0_NeikiAnalytics.exe	86

C:\Users\Admin\AppData\Local\Temp\31df1c167c9e07e99f085b6bcfe5f5c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\31df1c167c9e07e99f085b6bcfe5f5c0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4592
- C:\FilesTN\devbodsys.exe
  C:\FilesTN\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesTN\devbodsys.exe

Filesize
2.3MB

MD5
2087051b459439eaaead82200bac255a

SHA1
27d4ce848b28bea00b58b80209d4340329c7f15b

SHA256
537edc6d1238fd28d37d939a455211e2e5cf0125cfba615d377788e8093f5305

SHA512
765e8176297975cf77c4ccc3d13a45f928f36c9ac0afc0012843b7bb2fe68d66ea7bbd7a48ee6a34e999d697103761d8d611f97251092fad8ec7956d99832e69

Download Submit
C:\FilesTN\devbodsys.exe

Filesize
3.6MB

MD5
901e6b5f8d4980aadafd8c1385f68f5c

SHA1
bf78db5988ad89bd4cc97af3f9544a7854d9ec95

SHA256
99d5c0ece517459fe2ebe2666acf5a659afe1d681e49ee46b75c2ca82217c333

SHA512
131071db35502f2ff71bbd9c15179630bfcce1d8e8e0c353c2156996ca7dc7f449c55a22e31def6f07c68ac7e614b0f0a3a5f1316825ede57f6476c639cf8cad

Download Submit
C:\MintUS\bodaloc.exe

Filesize
507KB

MD5
6a94139901a5a3e54d20084b521cc0e0

SHA1
70cabb155a59896371d0929a8d3d4fb5e0fc20f1

SHA256
d9f0ad26aaa8bc6107d1ad6df3049a4d5a028854dbfb06f5b6d3940f77c84d42

SHA512
ba431e5791513748f85e0abd06e15e2fc4115b89f4dc56872797638fde08b47f79743ae533c405582e558d06f0e10a7c6e95afed7b20735ba8334459baa3d765

Download Submit
C:\MintUS\bodaloc.exe

Filesize
3.6MB

MD5
cdbaf5e2cc315310adcc7297da958ce2

SHA1
b78b4937e33ee684ead07126f49067bbc8eb25c1

SHA256
92602fe96dd4a1842bbc8cec1ac993a1013f5230de4087d916601f415dcc6625

SHA512
fb69b74712161488904f8f0a6ba7d8cfa9ec534e5a76838b2bb928181f8ee9f72d96d2d08848ba5f03f2811d994477e47d5490f9d1789c0f67e384cd010c0e50

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
bd32eef9f34e8a91a8a4dbc8c35a0f14

SHA1
f1a5d3ead5333d4758a776a59afcf6bc8d30cf7c

SHA256
49eb8d2ea2200ad22f4a2ff030cc54ff1d334b3d8306a6ac6786b549357e09af

SHA512
62378df8aac49a6d68b3662ad30451609b32e8d03e6d890b3678f5b45e244a797144ca208155c0184baee348763a28323f17bea6d9fe93bc6e192b376fa15d66

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
7f97956a9cf59eaa85f3809583d54674

SHA1
f4e49d9c94294210c11c486716d5e03185ab5a0a

SHA256
368a8f45bc294c72c038a857a93d2621c759e0f00041197bc9398d3d9ec1908b

SHA512
bd26fd021e542b41794f02042a3858add217a853ce092791ab32576d99d84664a66252d60078781402ece7aea83be16b813184950a09e17443699c0d3b383dd3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
3.6MB

MD5
8495d261f0f144f81a2507dae5b23b7e

SHA1
621fc8e76090864597abcdebb1bd646699153b20

SHA256
ba6f4438b33f7d26ef13fd9e4f1064924c8490f542b26a01a5c66f28c56114c5

SHA512
39ee720e43499362c594a005c726b7732be9d255c98841a630cfda872e05075b60cf3ca2443012fbaa1a78038aa4096fc47805b6118f010ad4713595dffed94d

Download Submit