f932706daa89e5ff3cb5d2a3fa1ae5c1b9c9aa08af6161cd28bf59a82577d1af

Analysis

max time kernel
149s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2aae35b1b8481eec3256b642ef6fc180_NeikiAnalytics.exe
Size

3.0MB
MD5

2aae35b1b8481eec3256b642ef6fc180
SHA1

14259d5ce0edafa907e2deac16ecdc954ca17dfc
SHA256

f932706daa89e5ff3cb5d2a3fa1ae5c1b9c9aa08af6161cd28bf59a82577d1af
SHA512

01c6cf364ee531674866a99e490eb3b06e627b93587ca82b79cfa47ea27635f3ff355e3777f0a4bc19fe147ceb6108eede23876677b296b6dc8a7b983206d07b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bSqz8b6LNX:sxX7QnxrloE5dpUpQbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	2aae35b1b8481eec3256b642ef6fc180_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1408	ecdevdob.exe
2640	devbodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvX4\\devbodec.exe"	2aae35b1b8481eec3256b642ef6fc180_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBGJ\\bodxloc.exe"	2aae35b1b8481eec3256b642ef6fc180_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4628	2aae35b1b8481eec3256b642ef6fc180_NeikiAnalytics.exe
4628	2aae35b1b8481eec3256b642ef6fc180_NeikiAnalytics.exe
4628	2aae35b1b8481eec3256b642ef6fc180_NeikiAnalytics.exe
4628	2aae35b1b8481eec3256b642ef6fc180_NeikiAnalytics.exe
1408	ecdevdob.exe
1408	ecdevdob.exe
2640	devbodec.exe
2640	devbodec.exe
1408	ecdevdob.exe
1408	ecdevdob.exe
2640	devbodec.exe
2640	devbodec.exe
1408	ecdevdob.exe
1408	ecdevdob.exe
2640	devbodec.exe
2640	devbodec.exe
1408	ecdevdob.exe
1408	ecdevdob.exe
2640	devbodec.exe
2640	devbodec.exe
1408	ecdevdob.exe
1408	ecdevdob.exe
2640	devbodec.exe
2640	devbodec.exe
1408	ecdevdob.exe
1408	ecdevdob.exe
2640	devbodec.exe
2640	devbodec.exe
1408	ecdevdob.exe
1408	ecdevdob.exe
2640	devbodec.exe
2640	devbodec.exe
1408	ecdevdob.exe
1408	ecdevdob.exe
2640	devbodec.exe
2640	devbodec.exe
1408	ecdevdob.exe
1408	ecdevdob.exe
2640	devbodec.exe
2640	devbodec.exe
1408	ecdevdob.exe
1408	ecdevdob.exe
2640	devbodec.exe
2640	devbodec.exe
1408	ecdevdob.exe
1408	ecdevdob.exe
2640	devbodec.exe
2640	devbodec.exe
1408	ecdevdob.exe
1408	ecdevdob.exe
2640	devbodec.exe
2640	devbodec.exe
1408	ecdevdob.exe
1408	ecdevdob.exe
2640	devbodec.exe
2640	devbodec.exe
1408	ecdevdob.exe
1408	ecdevdob.exe
2640	devbodec.exe
2640	devbodec.exe
1408	ecdevdob.exe
1408	ecdevdob.exe
2640	devbodec.exe
2640	devbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 1408	4628	2aae35b1b8481eec3256b642ef6fc180_NeikiAnalytics.exe	97
PID 4628 wrote to memory of 1408	4628	2aae35b1b8481eec3256b642ef6fc180_NeikiAnalytics.exe	97
PID 4628 wrote to memory of 1408	4628	2aae35b1b8481eec3256b642ef6fc180_NeikiAnalytics.exe	97
PID 4628 wrote to memory of 2640	4628	2aae35b1b8481eec3256b642ef6fc180_NeikiAnalytics.exe	100
PID 4628 wrote to memory of 2640	4628	2aae35b1b8481eec3256b642ef6fc180_NeikiAnalytics.exe	100
PID 4628 wrote to memory of 2640	4628	2aae35b1b8481eec3256b642ef6fc180_NeikiAnalytics.exe	100

C:\Users\Admin\AppData\Local\Temp\2aae35b1b8481eec3256b642ef6fc180_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2aae35b1b8481eec3256b642ef6fc180_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1408
- C:\SysDrvX4\devbodec.exe
  C:\SysDrvX4\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4232,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=4400 /prefetch:8
1⤵
PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBGJ\bodxloc.exe

Filesize
3.0MB

MD5
cb084cf32e62e57819e8195436409dcd

SHA1
e96d5dab864a482332244889645fbd8e7b379a10

SHA256
97acf31c4e1d947875b7339786406c074a6805799ae8f13c6bee32e4a6b1a312

SHA512
08820de536a81d6c1ef5d8adf5ee30d2126350e658b061764d24a3da8659db30187a670ae9184451b9225d399b5ba5eb473cd5657e0f803481759631f048a2a3

Download Submit
C:\KaVBGJ\bodxloc.exe

Filesize
2.0MB

MD5
118dd83718499b75a72d3f0fc69cff1a

SHA1
a93e5cd7aeb1b6f116b55fb10ebddeb955ce3114

SHA256
fd877b2b031385e59f6765205f9a6b77d6d755f7ec1dca126cfc05cef4d2a5f1

SHA512
bc53d16387f2eb1fd357d46f7ee50c0f8fb367fa3259d1d07064f561aeffdc4c2c0e9711e9a129820ea75fa3e93dc0765d8a6f7754f7ad57041b4c008b0c84a5

Download Submit
C:\SysDrvX4\devbodec.exe

Filesize
483KB

MD5
1223ccf21916a8b6e115278547d5cb42

SHA1
4db77fbb5014b87dd35a52626809aea691b54311

SHA256
6d9372e88edbc6dfd81227f2e44be31b437b0b2b21120342791fcc9f5f6c9c0f

SHA512
1823f4569ddb6a37972246fedf2376ed332e5ca0e8fae73d5271104ff3da3ccec677f451c231b6fc4f9b236df63a79938339e2a7faace6bf6bde849d8b476e2a

Download Submit
C:\SysDrvX4\devbodec.exe

Filesize
3.0MB

MD5
a3637abb2a88b687915af2833206e299

SHA1
3da883835978ba97fd25b523bea6842ef0d39157

SHA256
414d0a69f9ca01fb5ab3627d757b1e433c42feba5f5f7b4ac34c2cfaae790bb2

SHA512
9fde07914302c5448c5b79c9e70752e0c1e059311418d83295a41971061dc67666b883c1a19d5881490d3c04f395cb89c29635cb3c7051a30cb384f642add63a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
c004b9bc50cb84d63fc8df5a33631672

SHA1
940fc3d293dd17b147a56d98d9bc17c6db6ef68b

SHA256
9c6d949514227d27cdb16d222a50bc6d0aee9413f0541c876c3ce18af7c6e584

SHA512
79c53e10a5f94047334e4e5f856cb33b899c8ccc30b24fb2379952927cda7e7eefa3244d736916502c17eba6c90e8c25f21ee2765597869bb2d2de0829971882

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
a00fd57281a9e85dd3c3b602c1d7747e

SHA1
87f2431cf5e95acbc8a1e1cbce11359f476d792f

SHA256
854995aa4935de19c96db230f6887f669c8b9b551b0830d901f9e14456be093b

SHA512
2f92e6e41f758c3bcb05489e88647017059f086978fd3b0b7122be30d2488a97085f924620a4ed99bab72e3ebed4dc3adcde6469bd865bf879bfedfadc6d012b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
3.0MB

MD5
95891fab982f65ec3e83151bc2ea2dc2

SHA1
6d0eef1dad730764241eda3f0f3ab341f04ab068

SHA256
85996ddfc6e4cc080218d658cf634fd58cad08e7c13735a2a529e488559f841a

SHA512
e25c4180da228a236cc38c8d6a574a966b1de4a8456690501b352b2b452a384de839d3eacab5fd701c98f96e15627832a2e8181fdcb9df7e30926880b5ce5166

Download Submit