55d6b5084d2ff061e3f105c17031459105a6c320bd39b127ee76a7d5396c286c

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68485cdd45c7606f9a95dfd2c1104480_NeikiAnalytics.exe
Size

3.6MB
MD5

68485cdd45c7606f9a95dfd2c1104480
SHA1

f03fd91c0dad2534b4eb95b06172bb085f11b182
SHA256

55d6b5084d2ff061e3f105c17031459105a6c320bd39b127ee76a7d5396c286c
SHA512

ac0c3c61050596408cbd9bf4d501e71823cbe9922fa592a26dcdeb5eb00a4e69ffdf045d5cca4d01e00aa1ae8c399634a8c1f03774e07581b583cb5f8d2886ad
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSqz8:sxX7QnxrloE5dpUp4bVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe	68485cdd45c7606f9a95dfd2c1104480_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2780	ecadob.exe
2728	xdobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocNP\\xdobsys.exe"	68485cdd45c7606f9a95dfd2c1104480_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBX1\\bodxsys.exe"	68485cdd45c7606f9a95dfd2c1104480_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3492	68485cdd45c7606f9a95dfd2c1104480_NeikiAnalytics.exe
3492	68485cdd45c7606f9a95dfd2c1104480_NeikiAnalytics.exe
3492	68485cdd45c7606f9a95dfd2c1104480_NeikiAnalytics.exe
3492	68485cdd45c7606f9a95dfd2c1104480_NeikiAnalytics.exe
2780	ecadob.exe
2780	ecadob.exe
2728	xdobsys.exe
2728	xdobsys.exe
2780	ecadob.exe
2780	ecadob.exe
2728	xdobsys.exe
2728	xdobsys.exe
2780	ecadob.exe
2780	ecadob.exe
2728	xdobsys.exe
2728	xdobsys.exe
2780	ecadob.exe
2780	ecadob.exe
2728	xdobsys.exe
2728	xdobsys.exe
2780	ecadob.exe
2780	ecadob.exe
2728	xdobsys.exe
2728	xdobsys.exe
2780	ecadob.exe
2780	ecadob.exe
2728	xdobsys.exe
2728	xdobsys.exe
2780	ecadob.exe
2780	ecadob.exe
2728	xdobsys.exe
2728	xdobsys.exe
2780	ecadob.exe
2780	ecadob.exe
2728	xdobsys.exe
2728	xdobsys.exe
2780	ecadob.exe
2780	ecadob.exe
2728	xdobsys.exe
2728	xdobsys.exe
2780	ecadob.exe
2780	ecadob.exe
2728	xdobsys.exe
2728	xdobsys.exe
2780	ecadob.exe
2780	ecadob.exe
2728	xdobsys.exe
2728	xdobsys.exe
2780	ecadob.exe
2780	ecadob.exe
2728	xdobsys.exe
2728	xdobsys.exe
2780	ecadob.exe
2780	ecadob.exe
2728	xdobsys.exe
2728	xdobsys.exe
2780	ecadob.exe
2780	ecadob.exe
2728	xdobsys.exe
2728	xdobsys.exe
2780	ecadob.exe
2780	ecadob.exe
2728	xdobsys.exe
2728	xdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 2780	3492	68485cdd45c7606f9a95dfd2c1104480_NeikiAnalytics.exe	87
PID 3492 wrote to memory of 2780	3492	68485cdd45c7606f9a95dfd2c1104480_NeikiAnalytics.exe	87
PID 3492 wrote to memory of 2780	3492	68485cdd45c7606f9a95dfd2c1104480_NeikiAnalytics.exe	87
PID 3492 wrote to memory of 2728	3492	68485cdd45c7606f9a95dfd2c1104480_NeikiAnalytics.exe	88
PID 3492 wrote to memory of 2728	3492	68485cdd45c7606f9a95dfd2c1104480_NeikiAnalytics.exe	88
PID 3492 wrote to memory of 2728	3492	68485cdd45c7606f9a95dfd2c1104480_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\68485cdd45c7606f9a95dfd2c1104480_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\68485cdd45c7606f9a95dfd2c1104480_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2780
- C:\IntelprocNP\xdobsys.exe
  C:\IntelprocNP\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocNP\xdobsys.exe

Filesize
2.8MB

MD5
3e7089761c51f13ac398121f0079d9d4

SHA1
f9aa4a089f02a3f9697d72fb60d6ab03374a7b7c

SHA256
1c482b0a327c9dad941960342f9866d6812ca684a97c9732184955de4e16ea23

SHA512
c0053c52f39dd5c04de48bf3b380566bea5413fa765899105e82fb3f429b8e5da76ec64c2ee39749acdcc98a085807ebd9a740789ac81cbb700571e7577f6f10

Download Submit
C:\IntelprocNP\xdobsys.exe

Filesize
3.6MB

MD5
6463d8b9592abace0e71ab503988e781

SHA1
faa1f960e3825c13966b1c1a710ba5d5e3766c4a

SHA256
272b8f580fb4897d0bfdda626e29089fa81b75b5162e2f27f51b5691744af7b3

SHA512
df50cf5850b46eae03f3dfba4fdb6c696a27df12d87d7116bac05188228e1d9d39e3a2fb28f6044e81ef381f625c6bef250a4c8ccc5f98942121911370f9f05f

Download Submit
C:\KaVBX1\bodxsys.exe

Filesize
242KB

MD5
9a35e86a59250689954ee9e7a726a26a

SHA1
9465de34617a068b75077eee07ed73bf25ca9a24

SHA256
477b5c21ed48a28809ad74bfc45e9e623d1e62bd54df42d0fc3398ca3eec4f27

SHA512
64b3cc65db4f8b5c680c9ab029e574fd1af1ce2299a3b4029690915042088789f4c1d675752199781b6a69113c394677ea8e0a850b4b00f80a238a837542a46a

Download Submit
C:\KaVBX1\bodxsys.exe

Filesize
3.6MB

MD5
fb9f46e8ce3181d985f036c8936024b0

SHA1
7e05ecd9634f71ec99b34796a6397f410541df6d

SHA256
b3e7830fdddc8f00d20a2d27a2b58e41f3a51418bc3c9f21142c9b8b38a1b5e4

SHA512
07368f3dae6d0286faf90e55546b5aab5f86ffde013b63653422fd29d0ea582a97b439480e296682ffd2f009777fb6b426743622062debe89c786c87c1728cf4

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
fdfcb5ed6d251ee600101b607b960dc6

SHA1
c5bfdca61285d1e04a2dee3e515adc8df7be1cf9

SHA256
04b2fe2e184c1eca3e2eb375672b0c0d350c71174c0f0ba61aea48ca481a2cd6

SHA512
b542cdda835dc7f4a69421a00117d0d9c477ca321cc1f2c6420b1a2a3174b29721f0e64d129fd5168c528a7e35130fc914d8fe2268ef0934eccb68499f80f32b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
17de114a126a49f22d7cc74ce7834782

SHA1
20c963f45bbaee792ded334d8f7ce24e35cb4978

SHA256
0b2abc9d540b400a19ba2974871ce276d5961040f21160b574d387e4dacb58b3

SHA512
a29f1ae5bf5d8fbe8e30e6c5708d7c689349ad72169aa7ad53b79be4e18fa57ac8425d19960ae666c327ff585a7527e704c5c4f5ba279e18dbbdbb656ef31760

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

Filesize
3.6MB

MD5
03d21af07050edc4d00d55b95027028c

SHA1
9a50ee12fcbc28795a282d1a63c9a3a0c60a360c

SHA256
2a421a7feb5d6b7675d9a66622aa2c5655d2c6f7e8249ab2c8363de36d9c1cd4

SHA512
ee3114bda0976a7c9f59b2b8e44450c456a61f58aa089a0e5de49c65cde1b00048dbc4731e352290d61919ceaf14dbb8b566e6331bcc382103756bb4c41b231f

Download Submit