2f50f0145ef6b1fb9b67ab8c6b122b6d2db4ba3b4ef20ddeba73314ae8d43a38

Analysis

max time kernel
150s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ee25b76e62fef2107e1a0731f2dcc00_NeikiAnalytics.exe
Size

3.6MB
MD5

2ee25b76e62fef2107e1a0731f2dcc00
SHA1

ec17ee2d4abfa0d48ab4790e1d838b806df5fd9f
SHA256

2f50f0145ef6b1fb9b67ab8c6b122b6d2db4ba3b4ef20ddeba73314ae8d43a38
SHA512

508427aad77bc905cb593b1332d035133b609d763378849f7f9f256ed51f891fb1d7d3cbcf708db8a069d7fb3c8bf04134a08fa45042cb5250dc6a8e390ea1b7
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB3B/bSqz8:sxX7QnxrloE5dpUpEbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	2ee25b76e62fef2107e1a0731f2dcc00_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1288	ecxdob.exe
412	xbodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax98\\dobaloc.exe"	2ee25b76e62fef2107e1a0731f2dcc00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvTF\\xbodec.exe"	2ee25b76e62fef2107e1a0731f2dcc00_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1604	2ee25b76e62fef2107e1a0731f2dcc00_NeikiAnalytics.exe
1604	2ee25b76e62fef2107e1a0731f2dcc00_NeikiAnalytics.exe
1604	2ee25b76e62fef2107e1a0731f2dcc00_NeikiAnalytics.exe
1604	2ee25b76e62fef2107e1a0731f2dcc00_NeikiAnalytics.exe
1288	ecxdob.exe
1288	ecxdob.exe
412	xbodec.exe
412	xbodec.exe
1288	ecxdob.exe
1288	ecxdob.exe
412	xbodec.exe
412	xbodec.exe
1288	ecxdob.exe
1288	ecxdob.exe
412	xbodec.exe
412	xbodec.exe
1288	ecxdob.exe
1288	ecxdob.exe
412	xbodec.exe
412	xbodec.exe
1288	ecxdob.exe
1288	ecxdob.exe
412	xbodec.exe
412	xbodec.exe
1288	ecxdob.exe
1288	ecxdob.exe
412	xbodec.exe
412	xbodec.exe
1288	ecxdob.exe
1288	ecxdob.exe
412	xbodec.exe
412	xbodec.exe
1288	ecxdob.exe
1288	ecxdob.exe
412	xbodec.exe
412	xbodec.exe
1288	ecxdob.exe
1288	ecxdob.exe
412	xbodec.exe
412	xbodec.exe
1288	ecxdob.exe
1288	ecxdob.exe
412	xbodec.exe
412	xbodec.exe
1288	ecxdob.exe
1288	ecxdob.exe
412	xbodec.exe
412	xbodec.exe
1288	ecxdob.exe
1288	ecxdob.exe
412	xbodec.exe
412	xbodec.exe
1288	ecxdob.exe
1288	ecxdob.exe
412	xbodec.exe
412	xbodec.exe
1288	ecxdob.exe
1288	ecxdob.exe
412	xbodec.exe
412	xbodec.exe
1288	ecxdob.exe
1288	ecxdob.exe
412	xbodec.exe
412	xbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 1288	1604	2ee25b76e62fef2107e1a0731f2dcc00_NeikiAnalytics.exe	84
PID 1604 wrote to memory of 1288	1604	2ee25b76e62fef2107e1a0731f2dcc00_NeikiAnalytics.exe	84
PID 1604 wrote to memory of 1288	1604	2ee25b76e62fef2107e1a0731f2dcc00_NeikiAnalytics.exe	84
PID 1604 wrote to memory of 412	1604	2ee25b76e62fef2107e1a0731f2dcc00_NeikiAnalytics.exe	85
PID 1604 wrote to memory of 412	1604	2ee25b76e62fef2107e1a0731f2dcc00_NeikiAnalytics.exe	85
PID 1604 wrote to memory of 412	1604	2ee25b76e62fef2107e1a0731f2dcc00_NeikiAnalytics.exe	85

C:\Users\Admin\AppData\Local\Temp\2ee25b76e62fef2107e1a0731f2dcc00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2ee25b76e62fef2107e1a0731f2dcc00_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1288
- C:\SysDrvTF\xbodec.exe
  C:\SysDrvTF\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax98\dobaloc.exe

Filesize
2.8MB

MD5
3aa33f5e00b0d9ddc7c8bd5dffafdc88

SHA1
f81f166d26c622a1fc398f815c900586ad6dada6

SHA256
f4c5764488075b84357459a5385980f1d466daae7123df5f3ae60abe773646ec

SHA512
ee545313a40de16371f9febef375de9151b3d79a3dd5735ffae7a5779e2b68e319171251ac36a1c62d6e81592dc2e5c1fc862c70ae0b75db1e7d3ad662970ec4

Download Submit
C:\Galax98\dobaloc.exe

Filesize
3.6MB

MD5
b3e15fa48522fc12740f15b05a08b643

SHA1
78a8950ff757586c23a99b75e1f775d86ee09bd2

SHA256
06f6351636b80c48a10f7163004584bb232e4eaca57bc5f055a267f5f532740a

SHA512
1ce860787f298e6838667dc4bfea5936af81c9b48d90834a3234d61970b689faf01f50e0301ae168084dc018dd35eaef3945fb7bf9ff31ab4474c772c4df9215

Download Submit
C:\SysDrvTF\xbodec.exe

Filesize
3.6MB

MD5
a2a5bbac36e873503443c9a268fc9918

SHA1
de0efa51545b831a1807bccfc8b9924ad5e0c0f6

SHA256
734ed8874f774a8d7c06cec23aa66f0dd8a9357971fa025d63af2b1d5a8faad8

SHA512
ad4b788b95b730fb29f0618704b17ac1322be90de7f568f96d755a8ef7bd4b75dc1ef981858be3133d45ba3ca0fdeab15d12ac9ae241ef185afd0af4784d3ca3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
ef5d1cf2ad141afd3f0dd419e258d75e

SHA1
0281d438059e88309e924a829d741b50e98a0a97

SHA256
1ce14d8da355de1ad40a7d40e185eb8a548b57133a4f5dd5e6f521453a192191

SHA512
3114b070f178b3006105d8a0eaf1fb091081a596f992b1e9584ec81922e011365513435ea8990c86874e3813aef52f3ba9f44881fbc7f4dc836417054dbf4224

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
c17453c1a38bbb695708f447d26b9460

SHA1
dd1bda2000f83aa97322595f3a33d3397aaa92e6

SHA256
a6bd89bc64c297f8750c7733f16b7949ee79fd414f19d60c2db5c17ab6e578d1

SHA512
83998c3790a07b200c311341575d5780d4eaed187f1c87e4bbe5518bad4049c168017d19055d4148f98a2fb966aef911a8cf1b1e151072d15739f574b07cba5d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
3.6MB

MD5
bc7b248a0ce4b7cb4b5fad7a40d4e737

SHA1
268df020c29aa9c99afaf319411794558dfc73e2

SHA256
916a8a130cb85c9919536d948b5864942e308c5cb6a17cb7bcde9a4f05767fc4

SHA512
c24525b244bdc147c32afcb997944bf04314ed06f2369dfdfc9683cf16fec00a8c937a355b6618d7cecf0dac0328cc4d8aaf0473cf228e851d24ecbdf2805127

Download Submit