00f237e3b4809c5ba620c67e0caa28258c11195dfc78929f170f33fa21cc9bee

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c8392d86938cb428d0b2ff4053f7500_NeikiAnalytics.exe
Size

4.0MB
MD5

0c8392d86938cb428d0b2ff4053f7500
SHA1

c7fc0c454864e4f905e8eeb02499fef6b27ffe78
SHA256

00f237e3b4809c5ba620c67e0caa28258c11195dfc78929f170f33fa21cc9bee
SHA512

5934119cbababee7cfff025f1d8302b56dd707c495c4e05a055a3461f199d09910d22f71a5d1fddf5d3257bf6aedee77c28463dd396bb8203c41b395e4c5553d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB+B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUptbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	0c8392d86938cb428d0b2ff4053f7500_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4496	sysdevbod.exe
2212	xbodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB74\\dobxec.exe"	0c8392d86938cb428d0b2ff4053f7500_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocJ4\\xbodloc.exe"	0c8392d86938cb428d0b2ff4053f7500_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3972	0c8392d86938cb428d0b2ff4053f7500_NeikiAnalytics.exe
3972	0c8392d86938cb428d0b2ff4053f7500_NeikiAnalytics.exe
3972	0c8392d86938cb428d0b2ff4053f7500_NeikiAnalytics.exe
3972	0c8392d86938cb428d0b2ff4053f7500_NeikiAnalytics.exe
4496	sysdevbod.exe
4496	sysdevbod.exe
2212	xbodloc.exe
2212	xbodloc.exe
4496	sysdevbod.exe
4496	sysdevbod.exe
2212	xbodloc.exe
2212	xbodloc.exe
4496	sysdevbod.exe
4496	sysdevbod.exe
2212	xbodloc.exe
2212	xbodloc.exe
4496	sysdevbod.exe
4496	sysdevbod.exe
2212	xbodloc.exe
2212	xbodloc.exe
4496	sysdevbod.exe
4496	sysdevbod.exe
2212	xbodloc.exe
2212	xbodloc.exe
4496	sysdevbod.exe
4496	sysdevbod.exe
2212	xbodloc.exe
2212	xbodloc.exe
4496	sysdevbod.exe
4496	sysdevbod.exe
2212	xbodloc.exe
2212	xbodloc.exe
4496	sysdevbod.exe
4496	sysdevbod.exe
2212	xbodloc.exe
2212	xbodloc.exe
4496	sysdevbod.exe
4496	sysdevbod.exe
2212	xbodloc.exe
2212	xbodloc.exe
4496	sysdevbod.exe
4496	sysdevbod.exe
2212	xbodloc.exe
2212	xbodloc.exe
4496	sysdevbod.exe
4496	sysdevbod.exe
2212	xbodloc.exe
2212	xbodloc.exe
4496	sysdevbod.exe
4496	sysdevbod.exe
2212	xbodloc.exe
2212	xbodloc.exe
4496	sysdevbod.exe
4496	sysdevbod.exe
2212	xbodloc.exe
2212	xbodloc.exe
4496	sysdevbod.exe
4496	sysdevbod.exe
2212	xbodloc.exe
2212	xbodloc.exe
4496	sysdevbod.exe
4496	sysdevbod.exe
2212	xbodloc.exe
2212	xbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3972 wrote to memory of 4496	3972	0c8392d86938cb428d0b2ff4053f7500_NeikiAnalytics.exe	88
PID 3972 wrote to memory of 4496	3972	0c8392d86938cb428d0b2ff4053f7500_NeikiAnalytics.exe	88
PID 3972 wrote to memory of 4496	3972	0c8392d86938cb428d0b2ff4053f7500_NeikiAnalytics.exe	88
PID 3972 wrote to memory of 2212	3972	0c8392d86938cb428d0b2ff4053f7500_NeikiAnalytics.exe	91
PID 3972 wrote to memory of 2212	3972	0c8392d86938cb428d0b2ff4053f7500_NeikiAnalytics.exe	91
PID 3972 wrote to memory of 2212	3972	0c8392d86938cb428d0b2ff4053f7500_NeikiAnalytics.exe	91

C:\Users\Admin\AppData\Local\Temp\0c8392d86938cb428d0b2ff4053f7500_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0c8392d86938cb428d0b2ff4053f7500_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4496
- C:\IntelprocJ4\xbodloc.exe
  C:\IntelprocJ4\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocJ4\xbodloc.exe

Filesize
4.0MB

MD5
09c6d3f8201e067ef6f5c1a8d8ae7140

SHA1
3e09988d567ae715692a76050ee820bc8f25795e

SHA256
298b9dad354900da9e97786f1d21e3d1637bd38f285db7b1921703e9830bff59

SHA512
86fb94eaf64b587cb0fa58cbdfc64347e740cf8e0a35c2acb753e8ffd9423de11ab176d2d525e4320b06c0ed7ba5a274f6e97f705c471a50de09c0fb11751fb6

Download Submit
C:\KaVB74\dobxec.exe

Filesize
4.0MB

MD5
efa59352165a1878f183e56a0f0bd14c

SHA1
07a91f11bc494c0cccd0adc26775346b3c465c84

SHA256
72c92068687c7ee182ca805f41b3132408fa82b6f2cb1064b1f49f07eaae6996

SHA512
577b324c0ff741b7dec0f971601957bdbe3be539caf9b0170147b3917cac8ab9cc3c77336de5653789cebcfa9ccae38c830f399510de58aaa18efd0795204691

Download Submit
C:\KaVB74\dobxec.exe

Filesize
237KB

MD5
1a38b31eaab906a62528f7f60a035284

SHA1
42e3d1cdfa00eb948fd063b27fd1630469a14e89

SHA256
3d236633187b0236217ef39e9bdb647eb412866b8f039ecfab8e2f9a8277407c

SHA512
1887f50511d468973fc18c23dad1109102e77413451b9f01a34c9b4acd2b2b1e8758b93d3f709e1c7eedf306bef30a9bec88f48d4e0068aa5ed64dec796d8db4

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
dd55bd82a248b094bb56b5fe47998922

SHA1
118f4659c8bb2d86efafe95d06e6b925970620cd

SHA256
45c34d8d265e37b0efdc5a2d3880f677fbb3ddd2f458a90f3f9a2c5454313963

SHA512
7046c9eb654f9593a34eb01358bee0bc3943b041aaf6b855097ae859f68e5f5077ad4fe75fa5f2f39d070064e87b39decb208518b8ea9539eb255fd810a09822

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
37783ee7b2ded73cded0ea8228ebf216

SHA1
57e26c94cd994522681100f8b336e6f502926d20

SHA256
ddfd75cad8f6648c20fea332423e7bc6af4c89a7aa7c6a7fcdf5db524fcf7c3d

SHA512
f5cf1382f442a7117023bffbefbe0f856e0d25510fb6d8e1c0e30992287e1ef787c0cf97fad9a671a02b9b2b59f4b5f03efec3565f4d718b9c424ac239bba65c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
4.0MB

MD5
920f83266305e5fdc86e5efeb2ee5aa9

SHA1
73a8f7cfd05b8c2c0e0b4ad940933bcedaed7725

SHA256
4c36b24169b36451ba982473424836252e35702c35dbf27a39172032b92877e2

SHA512
ed32e7cc9de4e04770adc1694cc62b1af9728b3ebf0c6f6959dce0facfc1df3da1194549a51527e6c3157da966022c5917662b7a0fb564e430d52464cab852bf

Download Submit