c5b185d5b042e78a24c043af473e73af6daccd9d1c4ea57f2197fed4a4148eae

Analysis

max time kernel
149s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe
Size

4.0MB
MD5

aedff83800d8a0bff4e5adaae2d78250
SHA1

e6a6acc9f6419d1f427eb336ef4f6e21544f2d9c
SHA256

c5b185d5b042e78a24c043af473e73af6daccd9d1c4ea57f2197fed4a4148eae
SHA512

46f68ac1d7b81c518f94b7d7b521c073ff320e16797d9d18f1c5036e785f26c151cbd6302f3e98a1b7f06b485a9c55dd038aa2838c427718d0ee209434c48983
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpmbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
3640	sysadob.exe
2488	xbodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocY5\\xbodloc.exe"	aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBHI\\dobxec.exe"	aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4388	aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe
4388	aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe
4388	aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe
4388	aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe
3640	sysadob.exe
3640	sysadob.exe
2488	xbodloc.exe
2488	xbodloc.exe
3640	sysadob.exe
3640	sysadob.exe
2488	xbodloc.exe
2488	xbodloc.exe
3640	sysadob.exe
3640	sysadob.exe
2488	xbodloc.exe
2488	xbodloc.exe
3640	sysadob.exe
3640	sysadob.exe
2488	xbodloc.exe
2488	xbodloc.exe
3640	sysadob.exe
3640	sysadob.exe
2488	xbodloc.exe
2488	xbodloc.exe
3640	sysadob.exe
3640	sysadob.exe
2488	xbodloc.exe
2488	xbodloc.exe
3640	sysadob.exe
3640	sysadob.exe
2488	xbodloc.exe
2488	xbodloc.exe
3640	sysadob.exe
3640	sysadob.exe
2488	xbodloc.exe
2488	xbodloc.exe
3640	sysadob.exe
3640	sysadob.exe
2488	xbodloc.exe
2488	xbodloc.exe
3640	sysadob.exe
3640	sysadob.exe
2488	xbodloc.exe
2488	xbodloc.exe
3640	sysadob.exe
3640	sysadob.exe
2488	xbodloc.exe
2488	xbodloc.exe
3640	sysadob.exe
3640	sysadob.exe
2488	xbodloc.exe
2488	xbodloc.exe
3640	sysadob.exe
3640	sysadob.exe
2488	xbodloc.exe
2488	xbodloc.exe
3640	sysadob.exe
3640	sysadob.exe
2488	xbodloc.exe
2488	xbodloc.exe
3640	sysadob.exe
3640	sysadob.exe
2488	xbodloc.exe
2488	xbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 3640	4388	aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe	87
PID 4388 wrote to memory of 3640	4388	aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe	87
PID 4388 wrote to memory of 3640	4388	aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe	87
PID 4388 wrote to memory of 2488	4388	aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe	91
PID 4388 wrote to memory of 2488	4388	aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe	91
PID 4388 wrote to memory of 2488	4388	aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe	91

C:\Users\Admin\AppData\Local\Temp\aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3640
- C:\IntelprocY5\xbodloc.exe
  C:\IntelprocY5\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocY5\xbodloc.exe

Filesize
990KB

MD5
7782a958be0e1ad614d03e4882e00311

SHA1
ab7f4dedc44f09b45a2b2107edbf41ba43f4479d

SHA256
ab58463007931f0b35151f32b2bfa97e6126f4f7cc84aa7c6cfdd2dc6521ad30

SHA512
a1697f0b9858a9ad7cc523eab365b6e5099259beced56b4697d25a643ed520d801e5292ebc7777bfc24ccc82cfb56dca6b4e8a3b130689871360a2935cc219fd

Download Submit
C:\IntelprocY5\xbodloc.exe

Filesize
4.0MB

MD5
d40b2b900e9d328d035b0ba8e13d95b4

SHA1
9082d015cf9f2561d836a6cfd2dce23e85f68300

SHA256
2f4251b04899f30e4793fc3556ac617b01f671cd5381436f05c96775d49420ce

SHA512
66d8d1ae4507050459c0db10aba77c511f5cf76c59d4a621bdaeec09afc5b606c6587e73263abc69014437f6479902ced1b87c354bc665bc4f75dc1c92f5ae3f

Download Submit
C:\KaVBHI\dobxec.exe

Filesize
121KB

MD5
b4f41a3358aac4888289be4384a6b618

SHA1
1d97c59bfa8ebd63de63ff6408720a6dbeb59431

SHA256
dae11531360f52119e74f92c22b4e08c447ecf4f00ff597af166167b162a2cbe

SHA512
087c9bbfe15ce6b49f4690fc39735fd05a6b758246683cda745fe490fd243319fea7149c3017b24b6e4ec828eecf1ad196d3a493b067aa9895daa9bc2edad32d

Download Submit
C:\KaVBHI\dobxec.exe

Filesize
4.0MB

MD5
68ae20a21834fef353832b6ea4a412f9

SHA1
b7b9068c8549484685fd46013e1a3f225096e46e

SHA256
35161f747d195adb9e7c1c4d6db56e767502c6d97a465b94bf90391afda8a370

SHA512
d46c5ef66613c6172f8f9e8c32d2ff9ff6c3979e947e398299e970201e10dfe6f0a673cae4d4e0028789d8d35b07bf9e412e7c49c667c3da1c0d455f6d12d0db

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
49a4774b7bad852d782d1c022b06bd03

SHA1
0265ccc3a1f04e08de81f01e8027ede272944733

SHA256
26793a26d17919d827f2bc2a02eef9f9f1b7ec06dfbadc6913aa597241bd0c05

SHA512
6493238e3ae23286f631dbe0a0442182fbbf9fbac2b9442c89a1118c700914a170bf2fdb7b571ac30802f3725544acaa989ea092fd41f7def5b6764b05b813fa

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
926a5314a6b8d0c0d0130c5c340f3e0b

SHA1
728a15bfd7c1d50240d844f41abe176661138037

SHA256
cb1c586716875e23ae4855d98ff6388566d832d7632fa136b3d2887b47aac65c

SHA512
f645cf66efedbd60527150eea53de56616ffe73a24cfa7ac89d86dc978e6801021d5d510f9894114e503aae34baa38a3bba8a72c3e2133f4302067953ab37291

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
4.0MB

MD5
6e151e9715c7149a65065966372e5c6e

SHA1
ceb56f5bf2e1f981b4845ef3723ff9004f5bd1a8

SHA256
6640d56af96b3f7883a5a028bdd40f6f5bb98037f8b7f9c586a169142a99242c

SHA512
3ea060f7dea08cb6de7a17137114b65f6a12accd99a4f1f3394c364b23ec1b8e44b531b27efa87bf0bac9dbcc02065762c0b3ccc59ad21e12fce241808a91970

Download Submit