b29eb6b378dfa6f3eead0a17f792bce21fd37a932866f0c12e973606c580218b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f017349d32add3180a6dbecaf849040_NeikiAnalytics.exe
Size

3.6MB
MD5

2f017349d32add3180a6dbecaf849040
SHA1

7b0e8709820705103cb411f755b4cfe00a21bc96
SHA256

b29eb6b378dfa6f3eead0a17f792bce21fd37a932866f0c12e973606c580218b
SHA512

e311acb61f212cf1a250b13048c665ec6f536d7b3a1df6586ef36dfb95362392c282e06dbf66c527c5280aeca070a60e45382ede2fed7e9d5ecbce16c3e47126
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBZB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpWbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe	2f017349d32add3180a6dbecaf849040_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
3864	ecxbod.exe
1288	devbodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvZA\\devbodec.exe"	2f017349d32add3180a6dbecaf849040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBRS\\dobasys.exe"	2f017349d32add3180a6dbecaf849040_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1076	2f017349d32add3180a6dbecaf849040_NeikiAnalytics.exe
1076	2f017349d32add3180a6dbecaf849040_NeikiAnalytics.exe
1076	2f017349d32add3180a6dbecaf849040_NeikiAnalytics.exe
1076	2f017349d32add3180a6dbecaf849040_NeikiAnalytics.exe
3864	ecxbod.exe
3864	ecxbod.exe
1288	devbodec.exe
1288	devbodec.exe
3864	ecxbod.exe
3864	ecxbod.exe
1288	devbodec.exe
1288	devbodec.exe
3864	ecxbod.exe
3864	ecxbod.exe
1288	devbodec.exe
1288	devbodec.exe
3864	ecxbod.exe
3864	ecxbod.exe
1288	devbodec.exe
1288	devbodec.exe
3864	ecxbod.exe
3864	ecxbod.exe
1288	devbodec.exe
1288	devbodec.exe
3864	ecxbod.exe
3864	ecxbod.exe
1288	devbodec.exe
1288	devbodec.exe
3864	ecxbod.exe
3864	ecxbod.exe
1288	devbodec.exe
1288	devbodec.exe
3864	ecxbod.exe
3864	ecxbod.exe
1288	devbodec.exe
1288	devbodec.exe
3864	ecxbod.exe
3864	ecxbod.exe
1288	devbodec.exe
1288	devbodec.exe
3864	ecxbod.exe
3864	ecxbod.exe
1288	devbodec.exe
1288	devbodec.exe
3864	ecxbod.exe
3864	ecxbod.exe
1288	devbodec.exe
1288	devbodec.exe
3864	ecxbod.exe
3864	ecxbod.exe
1288	devbodec.exe
1288	devbodec.exe
3864	ecxbod.exe
3864	ecxbod.exe
1288	devbodec.exe
1288	devbodec.exe
3864	ecxbod.exe
3864	ecxbod.exe
1288	devbodec.exe
1288	devbodec.exe
3864	ecxbod.exe
3864	ecxbod.exe
1288	devbodec.exe
1288	devbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 3864	1076	2f017349d32add3180a6dbecaf849040_NeikiAnalytics.exe	85
PID 1076 wrote to memory of 3864	1076	2f017349d32add3180a6dbecaf849040_NeikiAnalytics.exe	85
PID 1076 wrote to memory of 3864	1076	2f017349d32add3180a6dbecaf849040_NeikiAnalytics.exe	85
PID 1076 wrote to memory of 1288	1076	2f017349d32add3180a6dbecaf849040_NeikiAnalytics.exe	88
PID 1076 wrote to memory of 1288	1076	2f017349d32add3180a6dbecaf849040_NeikiAnalytics.exe	88
PID 1076 wrote to memory of 1288	1076	2f017349d32add3180a6dbecaf849040_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\2f017349d32add3180a6dbecaf849040_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2f017349d32add3180a6dbecaf849040_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3864
- C:\SysDrvZA\devbodec.exe
  C:\SysDrvZA\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBRS\dobasys.exe

Filesize
3.0MB

MD5
dd1174d3acb9653ad9a4738a3e628772

SHA1
a442bcaa9cf95b922fd63ff977668495e1da86be

SHA256
c51e3f3d1e3a274bb2088e4a025ceecf079a7faa651a83e5fc72fbdf9cb84f8f

SHA512
8f421a4c812f3c6bbf59fba7f840da844101cbaccf85aa47a8bab1efdf4c7af9eefd4647e8cb054c49a756e09bcd43b612094e65e3102ef11d36aca8add515a1

Download Submit
C:\KaVBRS\dobasys.exe

Filesize
3.6MB

MD5
aba41b0ddd2362c6e988b21dbf81cd87

SHA1
721fc93b79169d485fa0444589184f0059b2fbee

SHA256
4f3fb4a3c4189654b7222ee9c07440afab2a316cb8ed72806aace1da59c979b9

SHA512
6e955adf4472a098082c9e43726b7bd84cea6ad94c1f5aa0830a67ca937ff0895ac68e4b50ff27820ad32dd67a176401775a4213197635dc041cc3560476d9ad

Download Submit
C:\SysDrvZA\devbodec.exe

Filesize
416KB

MD5
6ca420c0b3deb8464cb1ea2944838ae2

SHA1
751971e0b99bd5a11c1e0dd44da7cc8ae078e0f3

SHA256
16dec6099530e3f2f275ddd611afcf079cff895777473626f07891fe5422cdc0

SHA512
13df060c6d0980cf2ad48452fb7e0eb1f786b94e7fe7c4dcdc029398ee998e83c514313ac8d54719c2fb612662260a0c5865075abed08f7c895a4e01b1474726

Download Submit
C:\SysDrvZA\devbodec.exe

Filesize
3.6MB

MD5
1fb3123d708d163388484a13cc79e2fb

SHA1
96d5a92f73b16ceb2db6efe90dd227138b27860e

SHA256
36b0ca915461280f3eba26ca3aa7adb494a0046bad1baa5e55f453d51f27d54f

SHA512
1739b8221298d16dac119ae49837737a2f86af5d1f9618802e347c25ddf7b281294d503b22ef3eac967cbbef5966f6b6dc6151ea3f5be05af546ad1aed31fb10

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
6795034521e17a2f6796f978349ab960

SHA1
fbd63f492878e570bc9a4a71d43d7a41335eab7d

SHA256
efe38f473aa22f22a5e1d1733145a68f2848c142efd46b364e25d49069637372

SHA512
dc6df2f2b2d734f9db0243e64565c9e0e1f7b21010b2bf3b9d38484a7873f858a8d23ebd1c63f45ab90d89366d75b34c41a644a54251098b1c58910c1a32f9c9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
0b1cfb10ab2c6d56638d4974b088d9ff

SHA1
bdce0ae21a6da8cda6b065336584be0a6636cf2c

SHA256
db64473a7ceac689fd9d44f3699392c261ef37cd7d4b39ca027439d45a500aa7

SHA512
0f496eebc45f0fc1384f002e6dba21f172d6c5348a6e857c97c634524dbece37539e88235ef34466a313acbb1afba9c642fe3b87d4fc3fac9c40fb09ec6e7b4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

Filesize
3.6MB

MD5
f5f7b7da307ccc72da012d97ee713186

SHA1
13f3773c81dadb6226d3f348746a58ed7e788cab

SHA256
073dc9c1f4ae35a75e34772def142e822d8871afa5fed747f7f7a3ed921ef968

SHA512
15ac3fff62654694b149b8b36a70a8caf6a45a09f64c16acaaf99a9ab346b3feab7a57215ad48f55d89dbe917edc9f9c6815aa71e7a50d7ab5cb866f8ba63a13

Download Submit