f2f12c7f3bbbce8581d5422469dfc48d9214e13dfdfaa26389cd9dd1b69bf6a5

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
01-06-2024 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01df69ca825a1bb1095592ef40bf2150_NeikiAnalytics.exe
Size

4.1MB
MD5

01df69ca825a1bb1095592ef40bf2150
SHA1

8516e1c2975e755cc0320dde9078ac83d314a3a2
SHA256

f2f12c7f3bbbce8581d5422469dfc48d9214e13dfdfaa26389cd9dd1b69bf6a5
SHA512

73a7671bc9a6b1fdc4435787b04d4637cd27198c13bcff780773282eceb7df7bddf1171ed5588ce1b810a776cf133da8b431ca265d1c1ee75fe88831db37353e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp2bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	01df69ca825a1bb1095592ef40bf2150_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1208	sysdevdob.exe
5040	xbodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZK6\\dobxsys.exe"	01df69ca825a1bb1095592ef40bf2150_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesSQ\\xbodloc.exe"	01df69ca825a1bb1095592ef40bf2150_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4220	01df69ca825a1bb1095592ef40bf2150_NeikiAnalytics.exe
4220	01df69ca825a1bb1095592ef40bf2150_NeikiAnalytics.exe
4220	01df69ca825a1bb1095592ef40bf2150_NeikiAnalytics.exe
4220	01df69ca825a1bb1095592ef40bf2150_NeikiAnalytics.exe
1208	sysdevdob.exe
1208	sysdevdob.exe
5040	xbodloc.exe
5040	xbodloc.exe
1208	sysdevdob.exe
1208	sysdevdob.exe
5040	xbodloc.exe
5040	xbodloc.exe
1208	sysdevdob.exe
1208	sysdevdob.exe
5040	xbodloc.exe
5040	xbodloc.exe
1208	sysdevdob.exe
1208	sysdevdob.exe
5040	xbodloc.exe
5040	xbodloc.exe
1208	sysdevdob.exe
1208	sysdevdob.exe
5040	xbodloc.exe
5040	xbodloc.exe
1208	sysdevdob.exe
1208	sysdevdob.exe
5040	xbodloc.exe
5040	xbodloc.exe
1208	sysdevdob.exe
1208	sysdevdob.exe
5040	xbodloc.exe
5040	xbodloc.exe
1208	sysdevdob.exe
1208	sysdevdob.exe
5040	xbodloc.exe
5040	xbodloc.exe
1208	sysdevdob.exe
1208	sysdevdob.exe
5040	xbodloc.exe
5040	xbodloc.exe
1208	sysdevdob.exe
1208	sysdevdob.exe
5040	xbodloc.exe
5040	xbodloc.exe
1208	sysdevdob.exe
1208	sysdevdob.exe
5040	xbodloc.exe
5040	xbodloc.exe
1208	sysdevdob.exe
1208	sysdevdob.exe
5040	xbodloc.exe
5040	xbodloc.exe
1208	sysdevdob.exe
1208	sysdevdob.exe
5040	xbodloc.exe
5040	xbodloc.exe
1208	sysdevdob.exe
1208	sysdevdob.exe
5040	xbodloc.exe
5040	xbodloc.exe
1208	sysdevdob.exe
1208	sysdevdob.exe
5040	xbodloc.exe
5040	xbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4220 wrote to memory of 1208	4220	01df69ca825a1bb1095592ef40bf2150_NeikiAnalytics.exe	88
PID 4220 wrote to memory of 1208	4220	01df69ca825a1bb1095592ef40bf2150_NeikiAnalytics.exe	88
PID 4220 wrote to memory of 1208	4220	01df69ca825a1bb1095592ef40bf2150_NeikiAnalytics.exe	88
PID 4220 wrote to memory of 5040	4220	01df69ca825a1bb1095592ef40bf2150_NeikiAnalytics.exe	91
PID 4220 wrote to memory of 5040	4220	01df69ca825a1bb1095592ef40bf2150_NeikiAnalytics.exe	91
PID 4220 wrote to memory of 5040	4220	01df69ca825a1bb1095592ef40bf2150_NeikiAnalytics.exe	91

C:\Users\Admin\AppData\Local\Temp\01df69ca825a1bb1095592ef40bf2150_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\01df69ca825a1bb1095592ef40bf2150_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1208
- C:\FilesSQ\xbodloc.exe
  C:\FilesSQ\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesSQ\xbodloc.exe

Filesize
430KB

MD5
5a27945c917543e0f7db5cf510aec55e

SHA1
1d962a981eb2975ae5abd88c847a9834ca0d8b9e

SHA256
be49e0d9f34735e54641e9a1832717f779b983883d978d11b11e8bed62561e5a

SHA512
8807d2c9784ab937f32d9b1a39445fd0ef9e762cdca5a3055e108f5fc85ba31181ee875373d3d04f9655550ebce024f23264bd6c309142e2f6e5126c5a33ed57

Download Submit
C:\FilesSQ\xbodloc.exe

Filesize
4.1MB

MD5
f3167d2296c0d0f875ef48e1fa050f38

SHA1
22b31be28a520e1ee9e76eed5b82c4d80769136c

SHA256
fb94939b4a27c6bcd0b68e7110abf428108672b38c633ae13711515f58aef436

SHA512
02263e9147dd4028acf3572857f2bdd9fb61e1d558ac072425cd315483a7c71549e46a9f8052191d8eca0283fcf8ff89608eee2830cd4e138e3a186ccefe7186

Download Submit
C:\LabZK6\dobxsys.exe

Filesize
13KB

MD5
642d5fd1c5d47e0cd3efc57772bc2053

SHA1
bc41dd3d35783afbd472e73a9f63190d7e166933

SHA256
354d593722f5c5af8706226640303ec107869e0842004e188841efc1b84c1798

SHA512
3c5ab6241a835ab0cffcf0d36944fcc6eb3aa2afc83dcda29790a9a82f9f14ae2423a853816bc47894042dbca59e25ab4eb432113fe9ed87505cd8093adefab9

Download Submit
C:\LabZK6\dobxsys.exe

Filesize
3.8MB

MD5
4b682837e977e5a9a54b222f3688315c

SHA1
80e2d8c49b77232d40b039f4980f0c9c947ff0f6

SHA256
2e95717ea2e5de1a0165a6f2f5da7e8127eaebbda1dd86d0b53fb639ee85acbf

SHA512
0030566882e84680ec901fdbdc9fefec57fd207b369be24262e5e0a63c83690fcf5f9c0cc43d48704fa387ce7caec750a0b0b5419e3a4869a9764a274edea7bc

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
729824e9fcf641ea3759610bb5a905c6

SHA1
dacaaefa2afa280e1d881cc89dfdeaf036e630cd

SHA256
a8a2da826a611849780379353917c29b9b5e2db519f77285f66e2bc38e80ea5e

SHA512
497dbd4de9b7d03b8d234b64eacb2cb1310c69404815eb31bc063511e55d577b5fbe7245f96dbe2bd6eac5c217d6e9ded347399d0dcccbc41a2820bb352c20af

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
7785dfe7c2bc3268269bd85cddeccf97

SHA1
0c98e55867bd0b40635a5a154c63918c50be5573

SHA256
95f0593f3e95656f79091daeb831680fce0da32e4ada9576cc8a0c3a425c4b49

SHA512
e13b1fb30b90974ee106409a59f82b0cb7c198c95f8cbe5e4d2cdd6e87758f2af8e6abdaea6c0c04a651fca99782b2dbe6b52863091523671bf94e3f342644cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
4.1MB

MD5
e286ec20d5d39b211068ad3909983483

SHA1
f2fe5bfe927e0ea91efb247d1e6f7d2999254e96

SHA256
93d7e9f6b743c1d32be239b040259d4ca7740d5d5d84433edef3ddf2f1bfdd02

SHA512
71d555597a4ece8603ec90db05df76bd94ca0045cc1b680b230bb5828306336e88e5fe365a306764a07f1e0b21a867e1dbc59987928dc9d7e19eb0a73887ee80

Download Submit