e04438bd374e823e38ae533f9f04e898b49144ee399f766ff97a83d9f6c5dae5

Analysis

max time kernel
150s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56ca3210b38b642f71c1c4b00bd65930_NeikiAnalytics.exe
Size

2.6MB
MD5

56ca3210b38b642f71c1c4b00bd65930
SHA1

1876d0144bec75d9c1863408ab275a0b3b44d8f9
SHA256

e04438bd374e823e38ae533f9f04e898b49144ee399f766ff97a83d9f6c5dae5
SHA512

17c156ded304a98916d6a1eb4454da295f0a55e372fdc893f681014fef4b6129df23222788357c98a6335b78f07df2661180d46b9e93040ce511a3b04181522d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUpSb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	56ca3210b38b642f71c1c4b00bd65930_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
3676	ecdevopti.exe
2360	abodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot14\\abodloc.exe"	56ca3210b38b642f71c1c4b00bd65930_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBXG\\bodaec.exe"	56ca3210b38b642f71c1c4b00bd65930_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4788	56ca3210b38b642f71c1c4b00bd65930_NeikiAnalytics.exe
4788	56ca3210b38b642f71c1c4b00bd65930_NeikiAnalytics.exe
4788	56ca3210b38b642f71c1c4b00bd65930_NeikiAnalytics.exe
4788	56ca3210b38b642f71c1c4b00bd65930_NeikiAnalytics.exe
3676	ecdevopti.exe
3676	ecdevopti.exe
2360	abodloc.exe
2360	abodloc.exe
3676	ecdevopti.exe
3676	ecdevopti.exe
2360	abodloc.exe
2360	abodloc.exe
3676	ecdevopti.exe
3676	ecdevopti.exe
2360	abodloc.exe
2360	abodloc.exe
3676	ecdevopti.exe
3676	ecdevopti.exe
2360	abodloc.exe
2360	abodloc.exe
3676	ecdevopti.exe
3676	ecdevopti.exe
2360	abodloc.exe
2360	abodloc.exe
3676	ecdevopti.exe
3676	ecdevopti.exe
2360	abodloc.exe
2360	abodloc.exe
3676	ecdevopti.exe
3676	ecdevopti.exe
2360	abodloc.exe
2360	abodloc.exe
3676	ecdevopti.exe
3676	ecdevopti.exe
2360	abodloc.exe
2360	abodloc.exe
3676	ecdevopti.exe
3676	ecdevopti.exe
2360	abodloc.exe
2360	abodloc.exe
3676	ecdevopti.exe
3676	ecdevopti.exe
2360	abodloc.exe
2360	abodloc.exe
3676	ecdevopti.exe
3676	ecdevopti.exe
2360	abodloc.exe
2360	abodloc.exe
3676	ecdevopti.exe
3676	ecdevopti.exe
2360	abodloc.exe
2360	abodloc.exe
3676	ecdevopti.exe
3676	ecdevopti.exe
2360	abodloc.exe
2360	abodloc.exe
3676	ecdevopti.exe
3676	ecdevopti.exe
2360	abodloc.exe
2360	abodloc.exe
3676	ecdevopti.exe
3676	ecdevopti.exe
2360	abodloc.exe
2360	abodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 3676	4788	56ca3210b38b642f71c1c4b00bd65930_NeikiAnalytics.exe	88
PID 4788 wrote to memory of 3676	4788	56ca3210b38b642f71c1c4b00bd65930_NeikiAnalytics.exe	88
PID 4788 wrote to memory of 3676	4788	56ca3210b38b642f71c1c4b00bd65930_NeikiAnalytics.exe	88
PID 4788 wrote to memory of 2360	4788	56ca3210b38b642f71c1c4b00bd65930_NeikiAnalytics.exe	90
PID 4788 wrote to memory of 2360	4788	56ca3210b38b642f71c1c4b00bd65930_NeikiAnalytics.exe	90
PID 4788 wrote to memory of 2360	4788	56ca3210b38b642f71c1c4b00bd65930_NeikiAnalytics.exe	90

C:\Users\Admin\AppData\Local\Temp\56ca3210b38b642f71c1c4b00bd65930_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\56ca3210b38b642f71c1c4b00bd65930_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3676
- C:\UserDot14\abodloc.exe
  C:\UserDot14\abodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBXG\bodaec.exe

Filesize
2.6MB

MD5
f0a17776d7377c334b8f413e1d72deb0

SHA1
af597fa5dafe5bb66fb15a61eb98b6600847c298

SHA256
72c6ff5ee7b535892fd22f63bae7cf81396c97251a506d92c6018daaa547832b

SHA512
ef058799e1a940475450cdc91357debfd7b6d32f5ab714b58a498104d9c21eb6554e14525567dfc07c7369f607b5b6acfb481859a9054c922f65088cd4e2e891

Download Submit
C:\KaVBXG\bodaec.exe

Filesize
2.6MB

MD5
fc13f7bd897e39c2066412145209bf4b

SHA1
eb61049ff1912fcc9ee992ac494612bb5268fc58

SHA256
ded6c62f53080722cbb558d145187926b2afdfac309daf3c254926118b4dacb7

SHA512
0cb7ce153acdbdb218989b0730be4a0309778dad6107a162dfcc668846ab98611ffc7c425a067cbcbef412baf49b17b5275edb26dfd30cf960844672975cace8

Download Submit
C:\UserDot14\abodloc.exe

Filesize
2.6MB

MD5
7d947a2c8c27c1dc9b23166d2dea0dec

SHA1
c032726ccab89dce05a172734db68f6e4baa2de8

SHA256
616526407e8899270ab4799ccc12ded8446b0f411dccc59f66329aa25ee55368

SHA512
4e82d72b293dd3cd1e8ecac140e8424f5ed77fb8e6629cdecb1425beee59751ef789e08d3666d1e6c570b8e443abc12dcac1d894b0089cc563addd11c5c07884

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
f9017a0fbbbebcb005cee760a293f655

SHA1
52d5614fec5260b3fe3ef1d73941415683af8acf

SHA256
ecccbb88525acac3cc8bfb35222cd6cc525a9ab735f5616acf9868d600ed046b

SHA512
fa110f2d955e620ee19dd28d9248d531e02a32d5270fc846aab476cd6cf63930d774ee551ac9f239056d17b6afc30b5e47312e9865a2c4ec4a51bf0b4ec37875

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
41ccdcbf902cae9442f293e6bc324404

SHA1
ffc5811553a8b1c5be40523dfc4ecc053beb65fe

SHA256
66e2585cd31bdec9766bf59cf8ca250507dc207bc1287e4f7ddfb5152a6c7671

SHA512
76108a2db8758d89cb781ed6c7472fdff1f2b4c8e34e28091ac0e3f001aba0245b25272ae1a0fa1fc1c7efa31e5a6d3efbef4e0173dfdfa6458193b2eec6481a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
2.6MB

MD5
cd87785fe557bcc02adbc78c94bcb56c

SHA1
97e7018951b5f597cec09aea5f801b2858226c18

SHA256
d2aabca2b23417ddc7bfff8776ef53d394c3b8c650293dd646f223ebd9cc8471

SHA512
906383d232ed1f99f094200842d21366e99198109c5bc006bea7a495b0d6a1f49d000ac53403574a621b6e4cdbb19197fb64b17cedc8430e13b75a7c5c59b939

Download Submit