0ae27459fb59f93ed9d89089c0ccea80baadd407b7230c7301fd84fe01637620

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 19:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

31af83fa45af8abb9e814e4acd571500_NeikiAnalytics.exe
Size

2.6MB
MD5

31af83fa45af8abb9e814e4acd571500
SHA1

9ac56a07f2468ab37ed12fb14000a262579d2a7e
SHA256

0ae27459fb59f93ed9d89089c0ccea80baadd407b7230c7301fd84fe01637620
SHA512

9697b3ec491d2d6a4d3b915665cb67a782a1da8554ffea96926eff7ea7362877d4b21ff077eb1f8266c7873438088eccceaf160b8fd8da9e5ce719026132c589
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBkB/bS:sxX7QnxrloE5dpUpXb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	31af83fa45af8abb9e814e4acd571500_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2476	sysdevdob.exe
2608	xbodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2244	31af83fa45af8abb9e814e4acd571500_NeikiAnalytics.exe
2244	31af83fa45af8abb9e814e4acd571500_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot6F\\xbodec.exe"	31af83fa45af8abb9e814e4acd571500_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ4B\\bodxloc.exe"	31af83fa45af8abb9e814e4acd571500_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2244	31af83fa45af8abb9e814e4acd571500_NeikiAnalytics.exe
2244	31af83fa45af8abb9e814e4acd571500_NeikiAnalytics.exe
2476	sysdevdob.exe
2608	xbodec.exe
2476	sysdevdob.exe
2608	xbodec.exe
2476	sysdevdob.exe
2608	xbodec.exe
2476	sysdevdob.exe
2608	xbodec.exe
2476	sysdevdob.exe
2608	xbodec.exe
2476	sysdevdob.exe
2608	xbodec.exe
2476	sysdevdob.exe
2608	xbodec.exe
2476	sysdevdob.exe
2608	xbodec.exe
2476	sysdevdob.exe
2608	xbodec.exe
2476	sysdevdob.exe
2608	xbodec.exe
2476	sysdevdob.exe
2608	xbodec.exe
2476	sysdevdob.exe
2608	xbodec.exe
2476	sysdevdob.exe
2608	xbodec.exe
2476	sysdevdob.exe
2608	xbodec.exe
2476	sysdevdob.exe
2608	xbodec.exe
2476	sysdevdob.exe
2608	xbodec.exe
2476	sysdevdob.exe
2608	xbodec.exe
2476	sysdevdob.exe
2608	xbodec.exe
2476	sysdevdob.exe
2608	xbodec.exe
2476	sysdevdob.exe
2608	xbodec.exe
2476	sysdevdob.exe
2608	xbodec.exe
2476	sysdevdob.exe
2608	xbodec.exe
2476	sysdevdob.exe
2608	xbodec.exe
2476	sysdevdob.exe
2608	xbodec.exe
2476	sysdevdob.exe
2608	xbodec.exe
2476	sysdevdob.exe
2608	xbodec.exe
2476	sysdevdob.exe
2608	xbodec.exe
2476	sysdevdob.exe
2608	xbodec.exe
2476	sysdevdob.exe
2608	xbodec.exe
2476	sysdevdob.exe
2608	xbodec.exe
2476	sysdevdob.exe
2608	xbodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2476	2244	31af83fa45af8abb9e814e4acd571500_NeikiAnalytics.exe	28
PID 2244 wrote to memory of 2476	2244	31af83fa45af8abb9e814e4acd571500_NeikiAnalytics.exe	28
PID 2244 wrote to memory of 2476	2244	31af83fa45af8abb9e814e4acd571500_NeikiAnalytics.exe	28
PID 2244 wrote to memory of 2476	2244	31af83fa45af8abb9e814e4acd571500_NeikiAnalytics.exe	28
PID 2244 wrote to memory of 2608	2244	31af83fa45af8abb9e814e4acd571500_NeikiAnalytics.exe	29
PID 2244 wrote to memory of 2608	2244	31af83fa45af8abb9e814e4acd571500_NeikiAnalytics.exe	29
PID 2244 wrote to memory of 2608	2244	31af83fa45af8abb9e814e4acd571500_NeikiAnalytics.exe	29
PID 2244 wrote to memory of 2608	2244	31af83fa45af8abb9e814e4acd571500_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\31af83fa45af8abb9e814e4acd571500_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\31af83fa45af8abb9e814e4acd571500_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2476
- C:\UserDot6F\xbodec.exe
  C:\UserDot6F\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ4B\bodxloc.exe

Filesize
2.6MB

MD5
be3b02093d557d67186bd5c87a78c355

SHA1
db06a6253112c081a6d4d1545a5b872d29a3284a

SHA256
a5dbf5fdda35fd7e5c0bb40cac217547e5fc258acd620a454c89d6e6c8d5418d

SHA512
053e9f58d1b378133c1354e90b8ea263d102946e434603a10dadbb5da04c5227a6ea5ddccb6dbee6df8fd4c9fbd18f57a40d1315e85707e08127cf0c73c7f264

Download Submit
C:\LabZ4B\bodxloc.exe

Filesize
2.6MB

MD5
5d8a2d0511b1c24eadfbec2ed9e05a16

SHA1
2af9d32a23dcc48914841676f72730354eb36926

SHA256
02d1b11797b786e33bd3eabc376f8edf618e8be0c6fb0f661188d8912e6e37b7

SHA512
2723444a6652a0c8b635b7dad34292b9a44af5fdbb61070fc4eda24d3d177fb03f92eac741dfdcc112fd637fadf58980b8b6f9963064f0762a0597bb13456e3e

Download Submit
C:\UserDot6F\xbodec.exe

Filesize
2.6MB

MD5
c113f15ba5565622f3c63d41592c1111

SHA1
d2ab0b5d272a61d2e9c666e2cc0f96e1f2fc3dff

SHA256
1f9711c34ef9ea8c2d1860cf1b93cf89e20f68f41c6856cc4f343fea012ddf54

SHA512
2147a876250f9cbcf323da6176f6cb93f2fcadb9f068d9932d0cfb018c126af9b165f186bc91b27247e47c4716eb665e1a1e9c931f181eab018f09d28f297765

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
c96d5cc39dab880c2912fed328131930

SHA1
99573b1adbccec7f5fb54983c1643d1d3ebd6d36

SHA256
c4c0d7dff968ceae04a181ef70e24410ca4acfe1d0640f039ff4eed2cedab931

SHA512
d555e005b11cbcd780b3a641da1dd18e2cf786b4f1d295f1d7e3d4e93479cbe01ece219fd3d10771490f024295454e347741b3f9b11b880e1171c899d9cb8086

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
22637c712d6ae792452f452cced74a26

SHA1
c72ca63af283660eeba474503f5a0a8d1653f646

SHA256
076278ffa5fb83c30ff514fc89c39e5f07a31d4070a87a1f53ea1c81e1315c1a

SHA512
2100a6f465fe4c8122aca76bb588f371eccd3b5b64ea493f3372a1a98e425560522f0916dfd971bf372dfff9fab0766ec17b7a3ef7bec88c35a984041c7d7964

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
2.6MB

MD5
324565d101ee5cbad409db09d0f766f0

SHA1
a332f951b3373be83f1e5b343a1d09e5a7953060

SHA256
c2e193d655b97bb28685f932926378ee66338501eac128f47757d074d2d0b114

SHA512
718ef701f66920e08a2d13efe0402a0c2a9437c380ad7128e9d0b0ac7ba81c496469dfb8172ac6ae4b1edd720916d08985e768f5e36891806155a2a701bb7052

Download Submit