b5180c57843751389a6a6b34e663d1c667f2eaf9ea702dc40aa743c462349514

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-06-2024 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d6e2f7148e38707cb98260b85ccdf80_NeikiAnalytics.exe
Size

3.6MB
MD5

8d6e2f7148e38707cb98260b85ccdf80
SHA1

e83882d006850f2e27123e75eabbc2d9c195bd5f
SHA256

b5180c57843751389a6a6b34e663d1c667f2eaf9ea702dc40aa743c462349514
SHA512

e4d896f4ff7cb2af62ce0d5558c95e3b383f5bf148798116528ecb47beca27cb1da7f772f8462f62c177fae6993d4fd2045c2fa4923223219877a5e1c8504226
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSqz8:sxX7QnxrloE5dpUpMbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe	8d6e2f7148e38707cb98260b85ccdf80_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1208	locaopti.exe
1204	abodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2240	8d6e2f7148e38707cb98260b85ccdf80_NeikiAnalytics.exe
2240	8d6e2f7148e38707cb98260b85ccdf80_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax80\\dobasys.exe"	8d6e2f7148e38707cb98260b85ccdf80_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot26\\abodsys.exe"	8d6e2f7148e38707cb98260b85ccdf80_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2240	8d6e2f7148e38707cb98260b85ccdf80_NeikiAnalytics.exe
2240	8d6e2f7148e38707cb98260b85ccdf80_NeikiAnalytics.exe
1208	locaopti.exe
1204	abodsys.exe
1208	locaopti.exe
1204	abodsys.exe
1208	locaopti.exe
1204	abodsys.exe
1208	locaopti.exe
1204	abodsys.exe
1208	locaopti.exe
1204	abodsys.exe
1208	locaopti.exe
1204	abodsys.exe
1208	locaopti.exe
1204	abodsys.exe
1208	locaopti.exe
1204	abodsys.exe
1208	locaopti.exe
1204	abodsys.exe
1208	locaopti.exe
1204	abodsys.exe
1208	locaopti.exe
1204	abodsys.exe
1208	locaopti.exe
1204	abodsys.exe
1208	locaopti.exe
1204	abodsys.exe
1208	locaopti.exe
1204	abodsys.exe
1208	locaopti.exe
1204	abodsys.exe
1208	locaopti.exe
1204	abodsys.exe
1208	locaopti.exe
1204	abodsys.exe
1208	locaopti.exe
1204	abodsys.exe
1208	locaopti.exe
1204	abodsys.exe
1208	locaopti.exe
1204	abodsys.exe
1208	locaopti.exe
1204	abodsys.exe
1208	locaopti.exe
1204	abodsys.exe
1208	locaopti.exe
1204	abodsys.exe
1208	locaopti.exe
1204	abodsys.exe
1208	locaopti.exe
1204	abodsys.exe
1208	locaopti.exe
1204	abodsys.exe
1208	locaopti.exe
1204	abodsys.exe
1208	locaopti.exe
1204	abodsys.exe
1208	locaopti.exe
1204	abodsys.exe
1208	locaopti.exe
1204	abodsys.exe
1208	locaopti.exe
1204	abodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 1208	2240	8d6e2f7148e38707cb98260b85ccdf80_NeikiAnalytics.exe	30
PID 2240 wrote to memory of 1208	2240	8d6e2f7148e38707cb98260b85ccdf80_NeikiAnalytics.exe	30
PID 2240 wrote to memory of 1208	2240	8d6e2f7148e38707cb98260b85ccdf80_NeikiAnalytics.exe	30
PID 2240 wrote to memory of 1208	2240	8d6e2f7148e38707cb98260b85ccdf80_NeikiAnalytics.exe	30
PID 2240 wrote to memory of 1204	2240	8d6e2f7148e38707cb98260b85ccdf80_NeikiAnalytics.exe	31
PID 2240 wrote to memory of 1204	2240	8d6e2f7148e38707cb98260b85ccdf80_NeikiAnalytics.exe	31
PID 2240 wrote to memory of 1204	2240	8d6e2f7148e38707cb98260b85ccdf80_NeikiAnalytics.exe	31
PID 2240 wrote to memory of 1204	2240	8d6e2f7148e38707cb98260b85ccdf80_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\8d6e2f7148e38707cb98260b85ccdf80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8d6e2f7148e38707cb98260b85ccdf80_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1208
- C:\UserDot26\abodsys.exe
  C:\UserDot26\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax80\dobasys.exe

Filesize
2.4MB

MD5
d4073bcc3cb1a137f357c1dad6c724fc

SHA1
a72dc1921e60bb845954c1f60f9f86055f5f25f0

SHA256
770c3ffbbbe51a3293a5b292eadeadd4c7459ae111500e25f3c13847fa7bacc7

SHA512
e801501a79475d03040de52e514595a0206d8da2081ba8e04dcc9ac2d800c30e4f48078a48c572e53c11b7b9d276d8737119a53095283116f9affe59231f9dc1

Download Submit
C:\Galax80\dobasys.exe

Filesize
3.6MB

MD5
1b1c0052f1d27e25c41e6d553ae697b5

SHA1
48d9a3440416ebc46cbe8cf89d7ea5085792b9e8

SHA256
8a3180642dea350f91bc5d8ed5295b9c78863f30b1cdabbc1985e5d8517ad90b

SHA512
15dc382d42ebd2c9eb477ad0f33fc8d7841def29a01356474a32c45e087016da353c5720f1992f479517bc12ca5bfe27f0f2fe85bcafff6c9063f74ea1a46d00

Download Submit
C:\UserDot26\abodsys.exe

Filesize
3.6MB

MD5
d0c806645da4af6829026d30068c4124

SHA1
4afaeaa80d1614af8e7631f4077ad1a2aa2da06e

SHA256
b49ed94492a18e9910095a5b2ade1bd1c6ade506469c20b24bf17e0d013b1611

SHA512
3b1684d6b78cec56367b3ecbf74011e3c1d062113f5cff58038b50a1c620326efb721157cf77b52e8e0b9c7fb1566ca0d979e00b2c06f33a73c066283b452603

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
7af7ca04c3f9affac3863c9da8615009

SHA1
426df5603b7eac2dcd7489ca1e636297a9591c4e

SHA256
24a736720f71407156128aa3bc6ab897fe1d4f310d389e0ebe62d6b50669f19e

SHA512
b78db2c305af30828f2488c8a85b8ca1cf0141e8d9dc40c5c553d63a4a0edcda1af2e084f669bb54215f372d9246810664e2200dba49c6fd18652a00fb9de30f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
c010ffe34cd5214fadcfe8b39dc3bad7

SHA1
b9fe7b1bf9464ef24d50fe0284435fe3e96c5592

SHA256
af70d591e1618944b886a3bce10108814bef0b567023c640693f8d2ab10cb3bd

SHA512
d51f879cfaa54dd945b703ae0a116333db4e7142a97b0674fdea06446cca56b779f1cb672ba8e5ad726e5f1ececb113e9f501bd82840de6916983b9cb004501a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

Filesize
3.6MB

MD5
3f9e9b1e079e378ff6edcb2226bea8bf

SHA1
288c0a1db8a6b627efbe373abaea67fdb01fa11b

SHA256
fd850b03af2cd615287ccf82c56e529e550ef05b357b4b5b44bc1bc4496ea1f3

SHA512
b6b5714d76b440fc86ce6b8d513d88637fef9804ea9c386ef861f3276ef6c7764e46dd927d27beb9043222241b589a72493da9cfcee2ac08a32cceaa7fae8f17

Download Submit