4a7041979adc7492eaff05e837b424d7b7f327c3052ff16b3369278f31cd3207

Analysis

max time kernel
148s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
02/06/2024, 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c46d04201f5cec5b4e6fd998bb14170_NeikiAnalytics.exe
Size

3.6MB
MD5

7c46d04201f5cec5b4e6fd998bb14170
SHA1

c5800169a45aef4339812ff85cee1a4306c929a2
SHA256

4a7041979adc7492eaff05e837b424d7b7f327c3052ff16b3369278f31cd3207
SHA512

5f5b7033e26cf6cd08f299e2d38c61320315c2a3bc3029f8aa81d4ac6118fdf3767dd932afb3b2759cb1da52d890b561021b5bf1be9348722ef808356c152d16
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBpB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpibVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	7c46d04201f5cec5b4e6fd998bb14170_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1672	locdevopti.exe
2612	devbodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2064	7c46d04201f5cec5b4e6fd998bb14170_NeikiAnalytics.exe
2064	7c46d04201f5cec5b4e6fd998bb14170_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotVG\\devbodloc.exe"	7c46d04201f5cec5b4e6fd998bb14170_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB69\\dobaec.exe"	7c46d04201f5cec5b4e6fd998bb14170_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2064	7c46d04201f5cec5b4e6fd998bb14170_NeikiAnalytics.exe
2064	7c46d04201f5cec5b4e6fd998bb14170_NeikiAnalytics.exe
1672	locdevopti.exe
2612	devbodloc.exe
1672	locdevopti.exe
2612	devbodloc.exe
1672	locdevopti.exe
2612	devbodloc.exe
1672	locdevopti.exe
2612	devbodloc.exe
1672	locdevopti.exe
2612	devbodloc.exe
1672	locdevopti.exe
2612	devbodloc.exe
1672	locdevopti.exe
2612	devbodloc.exe
1672	locdevopti.exe
2612	devbodloc.exe
1672	locdevopti.exe
2612	devbodloc.exe
1672	locdevopti.exe
2612	devbodloc.exe
1672	locdevopti.exe
2612	devbodloc.exe
1672	locdevopti.exe
2612	devbodloc.exe
1672	locdevopti.exe
2612	devbodloc.exe
1672	locdevopti.exe
2612	devbodloc.exe
1672	locdevopti.exe
2612	devbodloc.exe
1672	locdevopti.exe
2612	devbodloc.exe
1672	locdevopti.exe
2612	devbodloc.exe
1672	locdevopti.exe
2612	devbodloc.exe
1672	locdevopti.exe
2612	devbodloc.exe
1672	locdevopti.exe
2612	devbodloc.exe
1672	locdevopti.exe
2612	devbodloc.exe
1672	locdevopti.exe
2612	devbodloc.exe
1672	locdevopti.exe
2612	devbodloc.exe
1672	locdevopti.exe
2612	devbodloc.exe
1672	locdevopti.exe
2612	devbodloc.exe
1672	locdevopti.exe
2612	devbodloc.exe
1672	locdevopti.exe
2612	devbodloc.exe
1672	locdevopti.exe
2612	devbodloc.exe
1672	locdevopti.exe
2612	devbodloc.exe
1672	locdevopti.exe
2612	devbodloc.exe
1672	locdevopti.exe
2612	devbodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 1672	2064	7c46d04201f5cec5b4e6fd998bb14170_NeikiAnalytics.exe	28
PID 2064 wrote to memory of 1672	2064	7c46d04201f5cec5b4e6fd998bb14170_NeikiAnalytics.exe	28
PID 2064 wrote to memory of 1672	2064	7c46d04201f5cec5b4e6fd998bb14170_NeikiAnalytics.exe	28
PID 2064 wrote to memory of 1672	2064	7c46d04201f5cec5b4e6fd998bb14170_NeikiAnalytics.exe	28
PID 2064 wrote to memory of 2612	2064	7c46d04201f5cec5b4e6fd998bb14170_NeikiAnalytics.exe	29
PID 2064 wrote to memory of 2612	2064	7c46d04201f5cec5b4e6fd998bb14170_NeikiAnalytics.exe	29
PID 2064 wrote to memory of 2612	2064	7c46d04201f5cec5b4e6fd998bb14170_NeikiAnalytics.exe	29
PID 2064 wrote to memory of 2612	2064	7c46d04201f5cec5b4e6fd998bb14170_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\7c46d04201f5cec5b4e6fd998bb14170_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7c46d04201f5cec5b4e6fd998bb14170_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1672
- C:\UserDotVG\devbodloc.exe
  C:\UserDotVG\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVB69\dobaec.exe

Filesize
1.2MB

MD5
8aff09ff116d1fea49df208184c9350f

SHA1
15b3ecea105539f667cde7321c75d3b2b5dc8206

SHA256
440ad65f04253f9c8b3cfcbcec31882a9c99301f8d6419446c87cf633b055be8

SHA512
b6dfdcd21330bedbcb887eff0f7280c87c3e0eab8eef0cae1ac4dc18733ec842be9fa2ca25b5550e6c60fe098040d193d8171c889fe37c4e3898ab7ca0a79190

Download Submit
C:\KaVB69\dobaec.exe

Filesize
3.6MB

MD5
2c92212e88eb26deb75bf5fb54fe17b2

SHA1
bdef2f7afe3087d9ba46c370040b17fdf5030b11

SHA256
43d97c840490f11a822174c0f99232fcf3957b784bf8c141b1e5994c4a5ee2fb

SHA512
77ea369265ebffdc8750ff2b0c5cf1c5b50a74466b1ab5d6e8d9943201484024c2b195506a11e493f9fbc025ba035763e57061a798002b5a121628671296a45c

Download Submit
C:\UserDotVG\devbodloc.exe

Filesize
3.6MB

MD5
1049470fba986e60324c39fe4a203677

SHA1
5222908b3e50eef255b7a6f1105fef2e0e25a01f

SHA256
1c50193d279509447595fd1338d5d9bf576f8f42c45f88992b613c782d4e5393

SHA512
d45c274836c7a26e17b849b129277a285e758f318bee0ec73d324e6993219b26219a945b97a2daa3249b095d1dbc9b1d156da2058c76c59487c5d94a49d83d8b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
1f57183458e4c2cea85c3cd49b6fb661

SHA1
66743e0eeaf1f8adcfa74d0dfd0f626f39506e84

SHA256
b0bf74f13733f068bc41df3ac97a7d179660500672f403c6ff5ce9b4b1a4a4d3

SHA512
9c96b86770f73f7a31e439429973e65e0475d059d9b547a8817067f78c27c626a176e5d71f122cd6974141a0bd8b7fd058ee539a33af88dbfa218e3528863c58

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
8f1ac4c2c76674cfbb558a390e99f1da

SHA1
ae6ba42c185660333a5efe28aef30fe1b4001534

SHA256
907455e231c2863cd36bb6b1a06b3f9d1cb0b902099bd5a583ca01078188f2f1

SHA512
5f5cf87ecbdb71e6ca580c6a5f31b6eabc78e0faddd8bf23d772984a64afabadf414b4ffc05f8eb4970409f35799fdb30e87490a919f4667336fdf0e20a8f497

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
3.6MB

MD5
3d9693270c8b900e4f7f4171025cdaa7

SHA1
c5283ad15c07fb1c9cdff9334e6b8c2454449337

SHA256
414e2ea5753a52be00d57504ad19612b762fbd95d24271c997e7bc25da6ac965

SHA512
f00767e565933e39ded690c153cee43fcdbd37440d5fe2df72ba6f7bbf5a78bf587a8696e1a40f38f4d0cba4dfa63f1318362035116135cd4b33aba8b723be59

Download Submit