8ad57c37b0619a71fc3306f7ff00c7c528180737df8b30ad9b8edd7cb37730de

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
28/05/2024, 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe
Size

3.6MB
MD5

30ff215da9c612bb7634dc055780c960
SHA1

a60f20058314531bab7102f6b826eb65e62f2a03
SHA256

8ad57c37b0619a71fc3306f7ff00c7c528180737df8b30ad9b8edd7cb37730de
SHA512

7d1429ceaa6e4b5c2686ec581020c5b9d128a379001fadd01446069fed256e4717f312fca63ea9cfb11b254a0cedb0a374cf31fc036b80b504fc4528c699bf7c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBYB/bSqz8:sxX7QnxrloE5dpUp7bVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2064	sysadob.exe
2512	abodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2932	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe
2932	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv6F\\abodsys.exe"	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB9V\\bodasys.exe"	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2932	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe
2932	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe
2064	sysadob.exe
2512	abodsys.exe
2064	sysadob.exe
2512	abodsys.exe
2064	sysadob.exe
2512	abodsys.exe
2064	sysadob.exe
2512	abodsys.exe
2064	sysadob.exe
2512	abodsys.exe
2064	sysadob.exe
2512	abodsys.exe
2064	sysadob.exe
2512	abodsys.exe
2064	sysadob.exe
2512	abodsys.exe
2064	sysadob.exe
2512	abodsys.exe
2064	sysadob.exe
2512	abodsys.exe
2064	sysadob.exe
2512	abodsys.exe
2064	sysadob.exe
2512	abodsys.exe
2064	sysadob.exe
2512	abodsys.exe
2064	sysadob.exe
2512	abodsys.exe
2064	sysadob.exe
2512	abodsys.exe
2064	sysadob.exe
2512	abodsys.exe
2064	sysadob.exe
2512	abodsys.exe
2064	sysadob.exe
2512	abodsys.exe
2064	sysadob.exe
2512	abodsys.exe
2064	sysadob.exe
2512	abodsys.exe
2064	sysadob.exe
2512	abodsys.exe
2064	sysadob.exe
2512	abodsys.exe
2064	sysadob.exe
2512	abodsys.exe
2064	sysadob.exe
2512	abodsys.exe
2064	sysadob.exe
2512	abodsys.exe
2064	sysadob.exe
2512	abodsys.exe
2064	sysadob.exe
2512	abodsys.exe
2064	sysadob.exe
2512	abodsys.exe
2064	sysadob.exe
2512	abodsys.exe
2064	sysadob.exe
2512	abodsys.exe
2064	sysadob.exe
2512	abodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2064	2932	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe	28
PID 2932 wrote to memory of 2064	2932	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe	28
PID 2932 wrote to memory of 2064	2932	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe	28
PID 2932 wrote to memory of 2064	2932	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe	28
PID 2932 wrote to memory of 2512	2932	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe	29
PID 2932 wrote to memory of 2512	2932	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe	29
PID 2932 wrote to memory of 2512	2932	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe	29
PID 2932 wrote to memory of 2512	2932	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2064
- C:\SysDrv6F\abodsys.exe
  C:\SysDrv6F\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVB9V\bodasys.exe

Filesize
2.8MB

MD5
e8547a11cc50020bc1a7c3da41e3deaf

SHA1
62dffd31f6dd5cf81dc7d7592535d2dbfa25c054

SHA256
35dc2ca597c9ed23b58ca3d7e4e1a5d4d6a4d6387a23c56e7297aa051565ce8c

SHA512
81e895f7be00da01ccc4f7494cfcae66af4a75664a2db90c8f7fb40d47f5a745f066b898346e8735d12784395cd8eb5a1645004c82c01b78e5635dc0ae165c3b

Download Submit
C:\KaVB9V\bodasys.exe

Filesize
3.6MB

MD5
4d913a81696d29a58236119341323c22

SHA1
a3a7dc3331ce437f335c371071a283d54add3038

SHA256
f35cfe9c6fedc7db03cc18444cf06dabd108ee363d61ea3afc6cac2c2eabad0b

SHA512
416035eed13ba0f404cbfa77a9af002f28ff5b3d23dce7561d6c93b700bbdd7d54bc6936dc86c1ae1bcf76e8e1fdc0e80d2367c3849bda03f8353d9022c51fad

Download Submit
C:\SysDrv6F\abodsys.exe

Filesize
3.6MB

MD5
818da5ff4f539248ce1b3c71338eb7c8

SHA1
df7f0cb96998cce5fb583b741599160adb5388a8

SHA256
ebf907ae6b7676a6fa5e64ec43fde664657fa3ebdcf4c86c7391ad038559a8d7

SHA512
2750f00bff671246c21b45a8e993dd229f3b8bd0a2390bb815c7c76b36f332cafaf7aa995b8b9f951a8068fcdcbe3f5e84c742b682e8638e7c762049e78efaff

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
aa67f087e6cf122d0dfdc3bd39bd8a1c

SHA1
b86ee19361d87fd110bdd91632476653ac1f0a6e

SHA256
dcdbb726d7d788cde1c1427d5f2c5501ad0bb068091c0084df76c975f556b4fd

SHA512
a1a21271cd17a27e3f1b837e9035a84b62776a632082623d48eb1f0c72f5dbd888f8a0a4d5396c089d47ffc6e53065207c355432334cb516cffe85c7bcaa8276

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
83887a63abd419cb90ef75db0e966197

SHA1
ba47856033722e4e0703c70327d690dad3f01762

SHA256
31de970c1d3294cb6fa792df5bb40649cb80c0e27755d042ebf7132d2c6bba8b

SHA512
d1a6c25f3d8a0fd15c56dd42996d39bc588c46ae6e80175535b9b68890ad22136eb0e7f03eb9fd08bc1e1de77de435c8970d77cefd0a4b3d6104b49107ee97e7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
3.6MB

MD5
89fae8e3065341b2944fa8016c5651c7

SHA1
8b835f187398780190f977bf180fbd6da5464395

SHA256
1004c581d2e8c8e55f3f03abda0aea7e50090f33a820d29cbe1707538275db78

SHA512
7807e0f26b4a71c0cd1c36db30a695b6e69e9c13273dbe3cfbd5795b783ac7fe6a85720ce74f0586954ee12abd93cbcd92f3886baf4fa38f110ef9d368198b13

Download Submit