8ad57c37b0619a71fc3306f7ff00c7c528180737df8b30ad9b8edd7cb37730de

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe
Size

3.6MB
MD5

30ff215da9c612bb7634dc055780c960
SHA1

a60f20058314531bab7102f6b826eb65e62f2a03
SHA256

8ad57c37b0619a71fc3306f7ff00c7c528180737df8b30ad9b8edd7cb37730de
SHA512

7d1429ceaa6e4b5c2686ec581020c5b9d128a379001fadd01446069fed256e4717f312fca63ea9cfb11b254a0cedb0a374cf31fc036b80b504fc4528c699bf7c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBYB/bSqz8:sxX7QnxrloE5dpUp7bVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2580	sysdevbod.exe
3260	devbodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBC8\\dobasys.exe"	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocJI\\devbodloc.exe"	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3124	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe
3124	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe
3124	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe
3124	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe
2580	sysdevbod.exe
2580	sysdevbod.exe
3260	devbodloc.exe
3260	devbodloc.exe
2580	sysdevbod.exe
2580	sysdevbod.exe
3260	devbodloc.exe
3260	devbodloc.exe
2580	sysdevbod.exe
2580	sysdevbod.exe
3260	devbodloc.exe
3260	devbodloc.exe
2580	sysdevbod.exe
2580	sysdevbod.exe
3260	devbodloc.exe
3260	devbodloc.exe
2580	sysdevbod.exe
2580	sysdevbod.exe
3260	devbodloc.exe
3260	devbodloc.exe
2580	sysdevbod.exe
2580	sysdevbod.exe
3260	devbodloc.exe
3260	devbodloc.exe
2580	sysdevbod.exe
2580	sysdevbod.exe
3260	devbodloc.exe
3260	devbodloc.exe
2580	sysdevbod.exe
2580	sysdevbod.exe
3260	devbodloc.exe
3260	devbodloc.exe
2580	sysdevbod.exe
2580	sysdevbod.exe
3260	devbodloc.exe
3260	devbodloc.exe
2580	sysdevbod.exe
2580	sysdevbod.exe
3260	devbodloc.exe
3260	devbodloc.exe
2580	sysdevbod.exe
2580	sysdevbod.exe
3260	devbodloc.exe
3260	devbodloc.exe
2580	sysdevbod.exe
2580	sysdevbod.exe
3260	devbodloc.exe
3260	devbodloc.exe
2580	sysdevbod.exe
2580	sysdevbod.exe
3260	devbodloc.exe
3260	devbodloc.exe
2580	sysdevbod.exe
2580	sysdevbod.exe
3260	devbodloc.exe
3260	devbodloc.exe
2580	sysdevbod.exe
2580	sysdevbod.exe
3260	devbodloc.exe
3260	devbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3124 wrote to memory of 2580	3124	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe	89
PID 3124 wrote to memory of 2580	3124	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe	89
PID 3124 wrote to memory of 2580	3124	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe	89
PID 3124 wrote to memory of 3260	3124	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe	92
PID 3124 wrote to memory of 3260	3124	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe	92
PID 3124 wrote to memory of 3260	3124	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe	92

C:\Users\Admin\AppData\Local\Temp\30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2580
- C:\IntelprocJI\devbodloc.exe
  C:\IntelprocJI\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocJI\devbodloc.exe

Filesize
3.6MB

MD5
986d169f6ffa14d3992ccbc596ba21dd

SHA1
fc49686d1eb41c3558b55c8d24d29b6047102d2a

SHA256
bbd96a766f18df50697f21828021eed1e8be2d44adedefdadf10805df10d68f1

SHA512
d16f307c92c5da95da73abd81d59fc4ec8b116073f993882ec04f3e2328b381da127b218eb12f6332f67c94d8cff59e458871bd70793e7116b2438a763346ae3

Download Submit
C:\KaVBC8\dobasys.exe

Filesize
1.2MB

MD5
d38f170720240887dc9dfd12aa38f362

SHA1
9900c99d53e1fb68287fada2003fb62ac31dcedd

SHA256
2a45daa46d6d010d81ff9921640e7cbac4f77b79f9a9e9ab4654254b5baabb5a

SHA512
33e393fe68b27195745a4322ff6f442ec6bcdb60b2131ead489203fed6d9d2a0ec022a5c1f7bec963859594e310e01c80d569dde299eb8d230521c0d48114984

Download Submit
C:\KaVBC8\dobasys.exe

Filesize
1.0MB

MD5
1b45d31f52dacf9358b251cd9cea79d8

SHA1
048fb7bad940e6575383026af9f0fc9aea0bf6ab

SHA256
659b56edceea1c3af6983b5610ce2126dfa819dbcaded462d879e1c8954de234

SHA512
e33e48a81cb4c82f278c28d529e2679add2543c71327fc8af6a06b2154c197e2fea9755aa0a8c4df56359ee154c0b415632e6cfe2f08620d1e9b2b427a5547e2

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
208B

MD5
be03af3c8dd15150bde9778682df054f

SHA1
bbd80cff6c58ba65be96c0ae9fef09ccbe5187b9

SHA256
d355754aefb17223b89a2e3af4d20496aaec2aeaadf0ecb204c3578f22b4da6b

SHA512
5a17ab3b9c83ffcfe6ca901a9caea54dd18a64a2875c942b38e1a2f86dc4b2f0bd8fc7639e3cdfe4913b86a775e8f11c896adfc8489d1c08a810d410ccecf1a3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
176B

MD5
19b471814ef74b6adda4aa357fe04ee8

SHA1
63aac5e0d500cf4e6ede71c9d05dadcfdd29f6b5

SHA256
71032da3b8e2d690265bf230f13d85de296e785abf3471a085f794f6df2a8def

SHA512
f84726fa3e8ff8db8bba8728984500d5ddb06aa201e87e29055e9fa301cbc529370d07c72a86edc75c49962c8f7fb91e0a5ed5530ed4ef747f23104e4e70f401

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
3.6MB

MD5
0c693bbb0676681caa104701b1484fc3

SHA1
9f606b07e4cd1f0e1862492ceb42c54d43ffe714

SHA256
cca62a0c1060b39d87980aef3abc9faf3557dc6eb7a0e00f3cf7a6de5627ac49

SHA512
8a84a5652b5ba683509c45073c0ac2c5804aaca45f8cca507dd11bebb2769f10733e8a00ec1a7bde5c1ec9615d664f7c8e6d3c34abd29c380d183ca973eecad0

Download Submit