a7d5c67b4394e0a303e8741e27cfb10f07e5428aac862fd313083ade8eafafce

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 16:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fe0671204c9ed432322b4fec02ecd1d0_NeikiAnalytics.exe
Size

3.6MB
MD5

fe0671204c9ed432322b4fec02ecd1d0
SHA1

424c846d17d4bacbe303e99bc35eb8cfb715be34
SHA256

a7d5c67b4394e0a303e8741e27cfb10f07e5428aac862fd313083ade8eafafce
SHA512

9782c6ef016f51bbe9fd375679745b143c4a867879db019ad305fb48a2d14381908aef08e68ba74d964be03e83c8ad19c40222db78a07910e6cae3893438d6fe
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpTbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	fe0671204c9ed432322b4fec02ecd1d0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1736	locxbod.exe
1296	abodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2320	fe0671204c9ed432322b4fec02ecd1d0_NeikiAnalytics.exe
2320	fe0671204c9ed432322b4fec02ecd1d0_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocNJ\\abodsys.exe"	fe0671204c9ed432322b4fec02ecd1d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidLP\\dobdevsys.exe"	fe0671204c9ed432322b4fec02ecd1d0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2320	fe0671204c9ed432322b4fec02ecd1d0_NeikiAnalytics.exe
2320	fe0671204c9ed432322b4fec02ecd1d0_NeikiAnalytics.exe
1736	locxbod.exe
1296	abodsys.exe
1736	locxbod.exe
1296	abodsys.exe
1736	locxbod.exe
1296	abodsys.exe
1736	locxbod.exe
1296	abodsys.exe
1736	locxbod.exe
1296	abodsys.exe
1736	locxbod.exe
1296	abodsys.exe
1736	locxbod.exe
1296	abodsys.exe
1736	locxbod.exe
1296	abodsys.exe
1736	locxbod.exe
1296	abodsys.exe
1736	locxbod.exe
1296	abodsys.exe
1736	locxbod.exe
1296	abodsys.exe
1736	locxbod.exe
1296	abodsys.exe
1736	locxbod.exe
1296	abodsys.exe
1736	locxbod.exe
1296	abodsys.exe
1736	locxbod.exe
1296	abodsys.exe
1736	locxbod.exe
1296	abodsys.exe
1736	locxbod.exe
1296	abodsys.exe
1736	locxbod.exe
1296	abodsys.exe
1736	locxbod.exe
1296	abodsys.exe
1736	locxbod.exe
1296	abodsys.exe
1736	locxbod.exe
1296	abodsys.exe
1736	locxbod.exe
1296	abodsys.exe
1736	locxbod.exe
1296	abodsys.exe
1736	locxbod.exe
1296	abodsys.exe
1736	locxbod.exe
1296	abodsys.exe
1736	locxbod.exe
1296	abodsys.exe
1736	locxbod.exe
1296	abodsys.exe
1736	locxbod.exe
1296	abodsys.exe
1736	locxbod.exe
1296	abodsys.exe
1736	locxbod.exe
1296	abodsys.exe
1736	locxbod.exe
1296	abodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 1736	2320	fe0671204c9ed432322b4fec02ecd1d0_NeikiAnalytics.exe	28
PID 2320 wrote to memory of 1736	2320	fe0671204c9ed432322b4fec02ecd1d0_NeikiAnalytics.exe	28
PID 2320 wrote to memory of 1736	2320	fe0671204c9ed432322b4fec02ecd1d0_NeikiAnalytics.exe	28
PID 2320 wrote to memory of 1736	2320	fe0671204c9ed432322b4fec02ecd1d0_NeikiAnalytics.exe	28
PID 2320 wrote to memory of 1296	2320	fe0671204c9ed432322b4fec02ecd1d0_NeikiAnalytics.exe	29
PID 2320 wrote to memory of 1296	2320	fe0671204c9ed432322b4fec02ecd1d0_NeikiAnalytics.exe	29
PID 2320 wrote to memory of 1296	2320	fe0671204c9ed432322b4fec02ecd1d0_NeikiAnalytics.exe	29
PID 2320 wrote to memory of 1296	2320	fe0671204c9ed432322b4fec02ecd1d0_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\fe0671204c9ed432322b4fec02ecd1d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\fe0671204c9ed432322b4fec02ecd1d0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1736
- C:\IntelprocNJ\abodsys.exe
  C:\IntelprocNJ\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocNJ\abodsys.exe

Filesize
3.6MB

MD5
e7e1486da1465b64935203c119e15695

SHA1
82808b2dab4f550293b46da8fe5d950b0a95fbfa

SHA256
f52986faf6d4d0c2cec47ab7c0148ec25b30292dc6ff69a8449e920a5c31ce7f

SHA512
4d0e5c6bda93a8f86151e2e79868fb78d8f7b673dc37bfe34ddcfc816dfcfb22d5e149793301d627fe7bdfda052473826cc91bb9fc579d2ab47dd04f287fc32f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
ae50d43247b08d62879bf08054e0934f

SHA1
45badff5827e4ed097e3252ca3da89bca5f95760

SHA256
7674f3360b019cadeadf1cbcc1ad55504b03e042257988176508f4b0a2aba9ba

SHA512
4d9a04713fb31c8a64e60ceb53bb25013601558d2e9ef9639a1003c679ca05415a9aa56660f3a6114e59eb74956b6a1f749ce4babe99c4883825294dc2ca2f28

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
8da78a1716283c76c385bc5f0d6df4a0

SHA1
01196d3aa43c0b54ad753926fff4c3bcd4c96f51

SHA256
86b4e67a1263e42a2d15bc25c384fab25447e2c82a61661e7b03c6674637ec87

SHA512
f5b261eaf948721923bc6443adfaa258aacbd58e6fb42bf47c4664e1faa750334d0835222bc92b31aedc82f2e78963b6fbe581f3041b06f8bdaf0d64fc2c6a91

Download Submit
C:\VidLP\dobdevsys.exe

Filesize
3.6MB

MD5
080a9436021e7622378d8563f6df6098

SHA1
521721f5d652ab49083cf04bbe111c6ff463a989

SHA256
4d52d3036cf0815a6a6bd338b1c30ed3cac7fda3520af642133e96e900a0ce7a

SHA512
5254772df4c2ee6eb719a43fa31f830e25f442a0a47d951333057e62164d6a29c9014a9a7ba2fd272229e4b88ea4ff9f1eab4992121becac59f2dc4bc761aa14

Download Submit
C:\VidLP\dobdevsys.exe

Filesize
3.6MB

MD5
870d9a7471d5975dd0f2603b9a8148bd

SHA1
396b0f4807185fb25f6dcfccfdf093b7913b5379

SHA256
510f02e566d103380faeb811a069900d0932388f1c2137ed2a16ddce0ece89ce

SHA512
ecf058506b536b85b3c3a044e3bd2573c30d9f7c0b1d443213eb59b4dd9c5312f7ad2e9b86028a9cd6d4f9acc818948be4136b66434cf2fb1a907b471a0ee057

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
3.6MB

MD5
7b6cf7f38f2ab103040e4f65eb2900a4

SHA1
40f9b1d07257c7512482553c4180161a485f8e30

SHA256
232b5abafe159a96291a2ef1831968d093e96885a97c925b2fb4146814a8a17d

SHA512
940f23565036022902a6a82321f1506aea35344251cd6741ab4716392d5d7ba76ac31c3ffff125e89504bb7a29d49eecf3c29770bd5fa930beec35847e731d2e

Download Submit