bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
04-06-2024 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47517cc843ec405305007bd7b8ee8d50_NeikiAnalytics.exe
Size

3.2MB
MD5

47517cc843ec405305007bd7b8ee8d50
SHA1

200a9924d70b4004f722a9d428b03f8d18ddf410
SHA256

bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31
SHA512

be8753e9bd43790f7619131ff7fe80450a327617e57fb65047303e82fbe573e3398ed46bdad135e82888e70ab49212963cdd69dd78762c892f0c74779f4061f3
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpBbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	47517cc843ec405305007bd7b8ee8d50_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1688	locabod.exe
2028	xbodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2464	47517cc843ec405305007bd7b8ee8d50_NeikiAnalytics.exe
2464	47517cc843ec405305007bd7b8ee8d50_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocVX\\xbodec.exe"	47517cc843ec405305007bd7b8ee8d50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxIJ\\bodxec.exe"	47517cc843ec405305007bd7b8ee8d50_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2464	47517cc843ec405305007bd7b8ee8d50_NeikiAnalytics.exe
2464	47517cc843ec405305007bd7b8ee8d50_NeikiAnalytics.exe
1688	locabod.exe
2028	xbodec.exe
1688	locabod.exe
2028	xbodec.exe
1688	locabod.exe
2028	xbodec.exe
1688	locabod.exe
2028	xbodec.exe
1688	locabod.exe
2028	xbodec.exe
1688	locabod.exe
2028	xbodec.exe
1688	locabod.exe
2028	xbodec.exe
1688	locabod.exe
2028	xbodec.exe
1688	locabod.exe
2028	xbodec.exe
1688	locabod.exe
2028	xbodec.exe
1688	locabod.exe
2028	xbodec.exe
1688	locabod.exe
2028	xbodec.exe
1688	locabod.exe
2028	xbodec.exe
1688	locabod.exe
2028	xbodec.exe
1688	locabod.exe
2028	xbodec.exe
1688	locabod.exe
2028	xbodec.exe
1688	locabod.exe
2028	xbodec.exe
1688	locabod.exe
2028	xbodec.exe
1688	locabod.exe
2028	xbodec.exe
1688	locabod.exe
2028	xbodec.exe
1688	locabod.exe
2028	xbodec.exe
1688	locabod.exe
2028	xbodec.exe
1688	locabod.exe
2028	xbodec.exe
1688	locabod.exe
2028	xbodec.exe
1688	locabod.exe
2028	xbodec.exe
1688	locabod.exe
2028	xbodec.exe
1688	locabod.exe
2028	xbodec.exe
1688	locabod.exe
2028	xbodec.exe
1688	locabod.exe
2028	xbodec.exe
1688	locabod.exe
2028	xbodec.exe
1688	locabod.exe
2028	xbodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 1688	2464	47517cc843ec405305007bd7b8ee8d50_NeikiAnalytics.exe	28
PID 2464 wrote to memory of 1688	2464	47517cc843ec405305007bd7b8ee8d50_NeikiAnalytics.exe	28
PID 2464 wrote to memory of 1688	2464	47517cc843ec405305007bd7b8ee8d50_NeikiAnalytics.exe	28
PID 2464 wrote to memory of 1688	2464	47517cc843ec405305007bd7b8ee8d50_NeikiAnalytics.exe	28
PID 2464 wrote to memory of 2028	2464	47517cc843ec405305007bd7b8ee8d50_NeikiAnalytics.exe	29
PID 2464 wrote to memory of 2028	2464	47517cc843ec405305007bd7b8ee8d50_NeikiAnalytics.exe	29
PID 2464 wrote to memory of 2028	2464	47517cc843ec405305007bd7b8ee8d50_NeikiAnalytics.exe	29
PID 2464 wrote to memory of 2028	2464	47517cc843ec405305007bd7b8ee8d50_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\47517cc843ec405305007bd7b8ee8d50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\47517cc843ec405305007bd7b8ee8d50_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1688
- C:\IntelprocVX\xbodec.exe
  C:\IntelprocVX\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxIJ\bodxec.exe

Filesize
3.0MB

MD5
0d1bc440a6f5917209178b4bfd86167a

SHA1
9943774763834df77b74dc94c84eadaf600e41a0

SHA256
4612237f8e9845e7b0830aa4fa34577c4b46293af79fd61647e25164669c196e

SHA512
17a89d7c99c0e69f3e1fd424ca3e2c23d38c918991894cddd336e53aa0770a6e245de60e7a89e0e0ed2f284627025db1063d3e82d8e621f0459a6ff3036124bc

Download Submit
C:\GalaxIJ\bodxec.exe

Filesize
3.2MB

MD5
f80b4acffe72c64d87f77f2e3dc3e944

SHA1
6fd3015af08be24e2535e5c6df47f339537a9cf2

SHA256
e65f62203e71d8ef117bb773cd0460185ad4852a3a1c3fd4634bf8ec679867f5

SHA512
28ba838d6e0eef037d8a497728ffc09f9e86531b2983ca3b912c22d063da7a5fea0453748c3620494eea5055bc32501cf42e8d85b3b692091be8020cc784515d

Download Submit
C:\IntelprocVX\xbodec.exe

Filesize
3.2MB

MD5
bc6c5b6e5b31e32d70bee5b50d7f892f

SHA1
17e3303969f2fecabb7caaccdb13e85df3e15a11

SHA256
b34d3057631f433fd4dbc8725981955ab1ee1173f77f5323f8baf2bbf1bb090e

SHA512
cafa7ddaf0efa36478f5476fe3dd6362b94336740ea780429a09ee4d838d992d9d62148da3c1901e6e8ad4afe1c2fdbe255bb95495f4d527778c67a90eaf96f0

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
aac6268db057f01bdd058337d25add68

SHA1
79862542bbbbb078355b65e3eb8c68f9933f82a6

SHA256
55adeffc5f8b5691e327ca1f59369b715e90e2d71b6d54f308f95e750ff6f44e

SHA512
0a917617a49a57836cbe755aae6b6a1f8eb627afb15ca0f816c7f2dc566c44d95062c0cee8f6e98b9d4276654437d5e03b3a7a2d1da9fb81da837fe364be00c7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
8814094b2093510d2163120d105ff8da

SHA1
678d656f9aefbc9abbd2880b23b26f5b2ef458d9

SHA256
0381f176d49224e41f60d6b33d425b24dce2b2b78cbc8ea3c91c524649c54e53

SHA512
b1e7729ef8432ad6f49287202b8c26db4d9d9e17f442daaf304c500630a037bb89021a8efc97dfdcb67a8c0dfb41f479c16113a8afd2975a4619294dbb2dcd6d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
3.2MB

MD5
6526956c6a68267116f78bde9e5237b5

SHA1
402489e21d75946781e18a550edcf55fd5b142dc

SHA256
e3b185d15296170ccb785af010fedd0993e8ef80c6e0c8f7be23610788f6adec

SHA512
0bfac91d1baefbfe789c88b6c5669608c3a2d094ce7d44263ba78ffbd231f5f69fadb72671c9eda1ed2807991bef1e935c84412cc90017878f062b5e0f8e56e6

Download Submit