941af33c8bf3ba6329d76308a2574f202d2ed02564935e0c16c9fb739502180c

Analysis

max time kernel
149s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe
Size

3.0MB
MD5

656d24cca6190b419de97393d257fa80
SHA1

88ddc929922dee50d8e11132279af714a9fee19c
SHA256

941af33c8bf3ba6329d76308a2574f202d2ed02564935e0c16c9fb739502180c
SHA512

34a3e5a6240753b0ee42330f0969541d069c6ec32af2253ce69008a57539798487d18995dcfc64037ae89b0676e8121f0e749a826fc93573d46a18ef757bde64
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSqz8b6LNX:sxX7QnxrloE5dpUpObVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe	656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
948	locdevbod.exe
1644	abodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesOU\\abodsys.exe"	656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZWO\\optixloc.exe"	656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4100	656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe
4100	656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe
4100	656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe
4100	656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe
948	locdevbod.exe
948	locdevbod.exe
1644	abodsys.exe
1644	abodsys.exe
948	locdevbod.exe
948	locdevbod.exe
1644	abodsys.exe
1644	abodsys.exe
948	locdevbod.exe
948	locdevbod.exe
1644	abodsys.exe
1644	abodsys.exe
948	locdevbod.exe
948	locdevbod.exe
1644	abodsys.exe
1644	abodsys.exe
948	locdevbod.exe
948	locdevbod.exe
1644	abodsys.exe
1644	abodsys.exe
948	locdevbod.exe
948	locdevbod.exe
1644	abodsys.exe
1644	abodsys.exe
948	locdevbod.exe
948	locdevbod.exe
1644	abodsys.exe
1644	abodsys.exe
948	locdevbod.exe
948	locdevbod.exe
1644	abodsys.exe
1644	abodsys.exe
948	locdevbod.exe
948	locdevbod.exe
1644	abodsys.exe
1644	abodsys.exe
948	locdevbod.exe
948	locdevbod.exe
1644	abodsys.exe
1644	abodsys.exe
948	locdevbod.exe
948	locdevbod.exe
1644	abodsys.exe
1644	abodsys.exe
948	locdevbod.exe
948	locdevbod.exe
1644	abodsys.exe
1644	abodsys.exe
948	locdevbod.exe
948	locdevbod.exe
1644	abodsys.exe
1644	abodsys.exe
948	locdevbod.exe
948	locdevbod.exe
1644	abodsys.exe
1644	abodsys.exe
948	locdevbod.exe
948	locdevbod.exe
1644	abodsys.exe
1644	abodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 948	4100	656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe	90
PID 4100 wrote to memory of 948	4100	656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe	90
PID 4100 wrote to memory of 948	4100	656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe	90
PID 4100 wrote to memory of 1644	4100	656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe	92
PID 4100 wrote to memory of 1644	4100	656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe	92
PID 4100 wrote to memory of 1644	4100	656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe	92

C:\Users\Admin\AppData\Local\Temp\656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:948
- C:\FilesOU\abodsys.exe
  C:\FilesOU\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesOU\abodsys.exe

Filesize
3.0MB

MD5
b3540eb77f0b4aac59e6b3ef1f977ee9

SHA1
9e2307f258012115af02a7f32d0150bbd2d35e7e

SHA256
2716deb8c4b96d8dd5bb41f42bf47e494a1033dab85fc8ae607d6660692bc629

SHA512
bce88dbe5c27d3a9ed34387022857bfd192f4ca9e2043a15e07e0c9a7d1e69fb815575f7aabda50784db0b471fed854b05e0adc8796d048858a64107a1804967

Download Submit
C:\LabZWO\optixloc.exe

Filesize
85KB

MD5
ec66f9943734e3eff5ce34c544a106eb

SHA1
f57169d3266caeac9f1495e57a2bb7046462bdee

SHA256
6e0021622d2759e70f1181eb24821153dbb68bfa7a45e543c7e1ea8f763cea8a

SHA512
a95d31fa416337668f041c970ab120526c8b071953d744c1aa0e5a9d94b7cca6e4a8873b4edc910436d6ac8d715fbdeea4d0b64e723e94d61cc0f020f38deda8

Download Submit
C:\LabZWO\optixloc.exe

Filesize
2.2MB

MD5
f5579a7330cd69450616fb7e81974269

SHA1
8cf77da20d27e28b04d6bb483505508835acf88f

SHA256
55d9c51e5fb26c3b4dee5664f513c689dce73bb9dc19a9dfd18fcab17172dd20

SHA512
6567b7007f7d676f8f8841c9b28dd9fc1a401d895a81faafa2179cf92f618aa63bf45bcc9c2788857da619ac923b76d29c334d9de85586f83555a5a08c9979ef

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
a7f4aa5cbb20135a5fbce66126932d0c

SHA1
7bd8b9f703c20646f2a7e67c54bcd02e08e62547

SHA256
17f49d933dd5687ea837526b7dc309fae2d570acda24fbf5178133617539c401

SHA512
2e21f53b3e5efb8ee6023fc613e3309e9deadf9ebf928724ae4d3b072759da8ddf9fdda85f1e47d11e385186a8a801ac031a46f3dce6e6ff042b14d3841c46ac

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
35999cfb797e622f5862706569985839

SHA1
6ce2c0110f46c8518094a1f14ef580f2925ceb86

SHA256
4b78a4b4fa896eb1546e3255de0ecadbc4387e10bd6ef1dfbfb72a92df234f26

SHA512
126cb8536d521f94c321ae7a8494cbd08b0c08f9735a4aa9f31fac0417b74676ff413ffb11f7aae6d4e96445d6e05e0367e60ce33951a745c886b85815929ee5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

Filesize
3.0MB

MD5
997449288ff10fdbb6418e37c379e9c7

SHA1
3700e439350564a00d028b55cd82d4a6bcdc578e

SHA256
ea2bc132b465e4154d47f01c46423b9371c3729f31bbed9e25904a03071cf5a7

SHA512
de21761af684592234c719bde43a9463fb3e7a83fbefb0ddd4138e84b0f336de939b29e85125b277ce526b5cce1aa95939a32d39f34d5d792ddd2704b0e602b2

Download Submit