6f249e6ebb3ad3f36ff78e7cd053ed039c70e77e2bfa20adbfc085a2f6801dd5

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe
Size

4.1MB
MD5

41d8293d6d470a82147f90db4bbd7e40
SHA1

fefd07c84d228b570be7182fb1f2e045c751cebb
SHA256

6f249e6ebb3ad3f36ff78e7cd053ed039c70e77e2bfa20adbfc085a2f6801dd5
SHA512

9516512dcae7a0d44d0d622464a2b3aae81b6e45e8dd94bedcb70c7549ff7dfb73cf061d174e4a5dc4a3ab642eaa538d2c0c31753c06403152b8d600edcbc66e
SSDEEP

98304:sxX7QnxrloE5dpUp3bVz8eLFcz1/wiAUc2:sxX7QnHoE5dux9a1/pc2

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
696	locadob.exe
4480	devbodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeT3\\devbodsys.exe"	41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintTB\\optixsys.exe"	41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4608	41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe
4608	41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe
4608	41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe
4608	41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe
696	locadob.exe
696	locadob.exe
4480	devbodsys.exe
4480	devbodsys.exe
696	locadob.exe
696	locadob.exe
4480	devbodsys.exe
4480	devbodsys.exe
696	locadob.exe
696	locadob.exe
4480	devbodsys.exe
4480	devbodsys.exe
696	locadob.exe
696	locadob.exe
4480	devbodsys.exe
4480	devbodsys.exe
696	locadob.exe
696	locadob.exe
4480	devbodsys.exe
4480	devbodsys.exe
696	locadob.exe
696	locadob.exe
4480	devbodsys.exe
4480	devbodsys.exe
696	locadob.exe
696	locadob.exe
4480	devbodsys.exe
4480	devbodsys.exe
696	locadob.exe
696	locadob.exe
4480	devbodsys.exe
4480	devbodsys.exe
696	locadob.exe
696	locadob.exe
4480	devbodsys.exe
4480	devbodsys.exe
696	locadob.exe
696	locadob.exe
4480	devbodsys.exe
4480	devbodsys.exe
696	locadob.exe
696	locadob.exe
4480	devbodsys.exe
4480	devbodsys.exe
696	locadob.exe
696	locadob.exe
4480	devbodsys.exe
4480	devbodsys.exe
696	locadob.exe
696	locadob.exe
4480	devbodsys.exe
4480	devbodsys.exe
696	locadob.exe
696	locadob.exe
4480	devbodsys.exe
4480	devbodsys.exe
696	locadob.exe
696	locadob.exe
4480	devbodsys.exe
4480	devbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 696	4608	41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe	87
PID 4608 wrote to memory of 696	4608	41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe	87
PID 4608 wrote to memory of 696	4608	41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe	87
PID 4608 wrote to memory of 4480	4608	41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe	90
PID 4608 wrote to memory of 4480	4608	41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe	90
PID 4608 wrote to memory of 4480	4608	41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe	90

C:\Users\Admin\AppData\Local\Temp\41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:696
- C:\AdobeT3\devbodsys.exe
  C:\AdobeT3\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeT3\devbodsys.exe

Filesize
2.3MB

MD5
6915fe01df2e6f2a4e5d84fa1e49161a

SHA1
5decc95834f420b015acb7d3a2950dfd4fc12048

SHA256
a8f027b3dd014ae39b4b1b122bcaf3c349b798e07860192e95855a5f4e4a65e8

SHA512
340dfadfb74f6b65bc9c64076e5fd25330eb1599059df064086bca106d78a35df8e71507be0d5e4cbdb0978fd963449f16471b4ca1aad8f5f55fabcd5c7a10a9

Download Submit
C:\AdobeT3\devbodsys.exe

Filesize
4.1MB

MD5
cd9c98e337291d60dd9d9708070ad5b5

SHA1
77ad966efb51169c6deba47553c339a4da627899

SHA256
73926a66ee0cd1d75443517c02920d985110cd6d6d27c2c8787d8b02e9e6a624

SHA512
c42eea7afecf7df60f889133025d9131f3531dcbb2ea620a4e20d8bc744292c1ff4c5e5958a9dad39cffd6b0238559da5f9090a6124fae1308ec970d2163757f

Download Submit
C:\MintTB\optixsys.exe

Filesize
976KB

MD5
2bdb6621ea697ec941e75920e223412f

SHA1
0f0bfb47bc8c0eb4e26d6656aa0701dacf6091df

SHA256
26a88cebb1bae5ae7ce440c18dcb33e8eb17a7ddca37c5c122622e2e4be28002

SHA512
ba4d7f799c30778e22bf5749ff72609d35b6b7e91226c6101dd0804a408f496e301272a1423fae1cd22affb1ff535dea14976693438e044a00352f599159eac4

Download Submit
C:\MintTB\optixsys.exe

Filesize
4KB

MD5
34bd8ff991b1427aa83cc59b77d0487f

SHA1
1775fb0e77f2b1b201917c49e409123372df9167

SHA256
8403bbb0bac4da664de516bbb70dba1484985a13d35a0b02c2b798b94ccd1eec

SHA512
5ad1d34933d6a9cead5a8c6dade3c65e64d2de098018614533d08a57b36f862dedf6faf5cdbf1678c96c8a779ddd2da5af6f25798fda1194686676872e35721e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
091cee86976f6750c768a3e9dc39273f

SHA1
a106461ed20527f8c6892822e089729418a9957c

SHA256
7af8a04bbff055a57316e80af1b9031fb178cdd86bf756a5c1758f4539074447

SHA512
5911693dbafd459d86e13980fb719070026f17254986073d30638c7f3a536ba5d58f5a4f2943d1e753ff706ee13101a2632db2c6e468e198b0ae9a94df84c585

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
aac0c8b1ed34236e09dd6ce3a49b0b54

SHA1
9a78e6640de30c8c8d3fc28de95f79d916d464fc

SHA256
3a8ccdee8668418d9b3a6cee7c04b381cf29775d391c326e05e81232a61ee892

SHA512
41d452e932f4b100151286c9c63987d0aa8de8f610aab9e740cd7a7fee67457a3f6876a061b88f0dcf699a8ccbbba2ab00aecc091b5594db3a6ffc02ee684096

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
4.1MB

MD5
e544c433971f7d097560b80cd4329908

SHA1
d7375fafd30ae39b5c023b8346e8ba7c21a5e5a6

SHA256
24d18b922e69ed118b2f272fbf298b27b6129572eab3105d99925453ea4bce22

SHA512
341a55437a6e44e617bdda6251c1a9a7d0b0f9f3f7efb5a6c1d44d5ce4935921ec0272659532562af2e7d95268377b9143466d1f1776b9be54ebff03e858fc42

Download Submit