f600974679db9d77f557ffe6359b6591021159821caad1e0788b7aefa4d66872

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38ecc1d6a1d952d53d21f2b8d0cd4570_NeikiAnalytics.exe
Size

2.7MB
MD5

38ecc1d6a1d952d53d21f2b8d0cd4570
SHA1

eddf6ff07e266aeedfcd6513bebf1ce347b42268
SHA256

f600974679db9d77f557ffe6359b6591021159821caad1e0788b7aefa4d66872
SHA512

e0c68ecc30d04e640a8c4260191730e3fd278438cf195890e29d3907520f4fd0108a8a0e137ccc7b318ab9a12ef44486a0e59b269a343485bc39dab755c6efa1
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LByB/bSq:sxX7QnxrloE5dpUpFbV

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	38ecc1d6a1d952d53d21f2b8d0cd4570_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4640	locadob.exe
3796	devdobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvT5\\devdobsys.exe"	38ecc1d6a1d952d53d21f2b8d0cd4570_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBUY\\bodxec.exe"	38ecc1d6a1d952d53d21f2b8d0cd4570_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3380	38ecc1d6a1d952d53d21f2b8d0cd4570_NeikiAnalytics.exe
3380	38ecc1d6a1d952d53d21f2b8d0cd4570_NeikiAnalytics.exe
3380	38ecc1d6a1d952d53d21f2b8d0cd4570_NeikiAnalytics.exe
3380	38ecc1d6a1d952d53d21f2b8d0cd4570_NeikiAnalytics.exe
4640	locadob.exe
4640	locadob.exe
3796	devdobsys.exe
3796	devdobsys.exe
4640	locadob.exe
4640	locadob.exe
3796	devdobsys.exe
3796	devdobsys.exe
4640	locadob.exe
4640	locadob.exe
3796	devdobsys.exe
3796	devdobsys.exe
4640	locadob.exe
4640	locadob.exe
3796	devdobsys.exe
3796	devdobsys.exe
4640	locadob.exe
4640	locadob.exe
3796	devdobsys.exe
3796	devdobsys.exe
4640	locadob.exe
4640	locadob.exe
3796	devdobsys.exe
3796	devdobsys.exe
4640	locadob.exe
4640	locadob.exe
3796	devdobsys.exe
3796	devdobsys.exe
4640	locadob.exe
4640	locadob.exe
3796	devdobsys.exe
3796	devdobsys.exe
4640	locadob.exe
4640	locadob.exe
3796	devdobsys.exe
3796	devdobsys.exe
4640	locadob.exe
4640	locadob.exe
3796	devdobsys.exe
3796	devdobsys.exe
4640	locadob.exe
4640	locadob.exe
3796	devdobsys.exe
3796	devdobsys.exe
4640	locadob.exe
4640	locadob.exe
3796	devdobsys.exe
3796	devdobsys.exe
4640	locadob.exe
4640	locadob.exe
3796	devdobsys.exe
3796	devdobsys.exe
4640	locadob.exe
4640	locadob.exe
3796	devdobsys.exe
3796	devdobsys.exe
4640	locadob.exe
4640	locadob.exe
3796	devdobsys.exe
3796	devdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 4640	3380	38ecc1d6a1d952d53d21f2b8d0cd4570_NeikiAnalytics.exe	84
PID 3380 wrote to memory of 4640	3380	38ecc1d6a1d952d53d21f2b8d0cd4570_NeikiAnalytics.exe	84
PID 3380 wrote to memory of 4640	3380	38ecc1d6a1d952d53d21f2b8d0cd4570_NeikiAnalytics.exe	84
PID 3380 wrote to memory of 3796	3380	38ecc1d6a1d952d53d21f2b8d0cd4570_NeikiAnalytics.exe	85
PID 3380 wrote to memory of 3796	3380	38ecc1d6a1d952d53d21f2b8d0cd4570_NeikiAnalytics.exe	85
PID 3380 wrote to memory of 3796	3380	38ecc1d6a1d952d53d21f2b8d0cd4570_NeikiAnalytics.exe	85

C:\Users\Admin\AppData\Local\Temp\38ecc1d6a1d952d53d21f2b8d0cd4570_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\38ecc1d6a1d952d53d21f2b8d0cd4570_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4640
- C:\SysDrvT5\devdobsys.exe
  C:\SysDrvT5\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBUY\bodxec.exe

Filesize
1.8MB

MD5
5f56cd14a7959bb3ef7c4ba2068597b0

SHA1
940f6e5f63b389a331d1c601710fbc8630743852

SHA256
afa755b16d2c49b41651d22a1aac301992bcb690b0c6fde777fb7ff7d5e5b580

SHA512
1c82509c99fb08cccf54fbd17787a7e3ff49b848af0d052cabeb64ea6ba3d22aaad3cac701200773fb6e2965622926b70a6ddb6e07f7bf34c2d04b6b905d1fdb

Download Submit
C:\KaVBUY\bodxec.exe

Filesize
2.7MB

MD5
3473844ce5af76dfd608c055a4315a69

SHA1
33a22c8a94fc45cd29e64d6fa5fd8b35cbc78639

SHA256
f37405a2a5ad83163a742e3a54da58c6d628abc437e71a14be873e8fbcac5ef8

SHA512
db3ae0b23199159429a33eda413adff5e9ec8377f6383614e86e5846fb10ed9e16bd73a0c9dd2759c2d2150d030c0c02e1ce501d053aff693d361f5770241576

Download Submit
C:\SysDrvT5\devdobsys.exe

Filesize
2.7MB

MD5
10b7bbfec751badc406f2ac1826301b2

SHA1
26211d9c2d8a66dd21a89dcbcd7c4840d6d66f85

SHA256
e2d206b615fcc6cf429fd41df91f2dc72af21611c9c1aeba5fd5c49eaa6f8b30

SHA512
5c67ced0d3fa0aae9ee5cc68bdde8651ef48ca3f403c5cffe46e0fff171d82b39db6e109219c27601f028b177a7e9544f4cfcc3fa245544fdc184f5f3ebe6bb4

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
aa8c6a8d91ea486dd3306e8d22b1007d

SHA1
e533d04f29de200a403b9430fbade6f9ef6be702

SHA256
2ff476923754d7fe8d9f421f160632cd5f71a3dbe961582a4ae365a2431cf449

SHA512
38be68cc743b521e634dddf87b130ed2ce6a83ef4e65b1588fafbfc7c225aef5c2af7e4699b7e2aefec5f9c572118ec23a5f3f99aed55bec055cb0e92379143f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
0e43bbc1a8977d807003135b9f9636cf

SHA1
c8058ff5183cb93975c04f7c1c67aa562efb0ff0

SHA256
f5854d586aef8ddd0138ca940cc3299ee63018f1af0759f41b11293c47b49c33

SHA512
65ec3b70454654be2dbbbd9029227ffd5fbde5f94f17802ab3db7330d3aa39d9f822c7ac998e5859e0f69be0883872affc90fe67a4a4a1ae85725879b201ea72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
2.7MB

MD5
9f07c4c56c3af7014e1ca7e1c25fa4be

SHA1
eb45d7d4ab9c8eb7edaca0bb560f2028f23b4820

SHA256
bc5dc34f9987fdc7552c3c0a98232152c878741351b3a8efa5f52a6c2ae735e3

SHA512
232f2020c3f3fadc6382abc1f524494c7e0b8f5ffc44ddfce8b1d76726fcad7501eaed700f99efdfb63475d2ec3ec6946851167ae8d1e4c322f246f1b3a41009

Download Submit