bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31

Analysis

max time kernel
150s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 12:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

47517cc843ec405305007bd7b8ee8d50_NeikiAnalytics.exe
Size

3.2MB
MD5

47517cc843ec405305007bd7b8ee8d50
SHA1

200a9924d70b4004f722a9d428b03f8d18ddf410
SHA256

bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31
SHA512

be8753e9bd43790f7619131ff7fe80450a327617e57fb65047303e82fbe573e3398ed46bdad135e82888e70ab49212963cdd69dd78762c892f0c74779f4061f3
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpBbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	47517cc843ec405305007bd7b8ee8d50_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2696	sysadob.exe
1688	abodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesZ4\\abodloc.exe"	47517cc843ec405305007bd7b8ee8d50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintJG\\boddevloc.exe"	47517cc843ec405305007bd7b8ee8d50_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4020	47517cc843ec405305007bd7b8ee8d50_NeikiAnalytics.exe
4020	47517cc843ec405305007bd7b8ee8d50_NeikiAnalytics.exe
4020	47517cc843ec405305007bd7b8ee8d50_NeikiAnalytics.exe
4020	47517cc843ec405305007bd7b8ee8d50_NeikiAnalytics.exe
2696	sysadob.exe
2696	sysadob.exe
1688	abodloc.exe
1688	abodloc.exe
2696	sysadob.exe
2696	sysadob.exe
1688	abodloc.exe
1688	abodloc.exe
2696	sysadob.exe
2696	sysadob.exe
1688	abodloc.exe
1688	abodloc.exe
2696	sysadob.exe
2696	sysadob.exe
1688	abodloc.exe
1688	abodloc.exe
2696	sysadob.exe
2696	sysadob.exe
1688	abodloc.exe
1688	abodloc.exe
2696	sysadob.exe
2696	sysadob.exe
1688	abodloc.exe
1688	abodloc.exe
2696	sysadob.exe
2696	sysadob.exe
1688	abodloc.exe
1688	abodloc.exe
2696	sysadob.exe
2696	sysadob.exe
1688	abodloc.exe
1688	abodloc.exe
2696	sysadob.exe
2696	sysadob.exe
1688	abodloc.exe
1688	abodloc.exe
2696	sysadob.exe
2696	sysadob.exe
1688	abodloc.exe
1688	abodloc.exe
2696	sysadob.exe
2696	sysadob.exe
1688	abodloc.exe
1688	abodloc.exe
2696	sysadob.exe
2696	sysadob.exe
1688	abodloc.exe
1688	abodloc.exe
2696	sysadob.exe
2696	sysadob.exe
1688	abodloc.exe
1688	abodloc.exe
2696	sysadob.exe
2696	sysadob.exe
1688	abodloc.exe
1688	abodloc.exe
2696	sysadob.exe
2696	sysadob.exe
1688	abodloc.exe
1688	abodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 2696	4020	47517cc843ec405305007bd7b8ee8d50_NeikiAnalytics.exe	90
PID 4020 wrote to memory of 2696	4020	47517cc843ec405305007bd7b8ee8d50_NeikiAnalytics.exe	90
PID 4020 wrote to memory of 2696	4020	47517cc843ec405305007bd7b8ee8d50_NeikiAnalytics.exe	90
PID 4020 wrote to memory of 1688	4020	47517cc843ec405305007bd7b8ee8d50_NeikiAnalytics.exe	92
PID 4020 wrote to memory of 1688	4020	47517cc843ec405305007bd7b8ee8d50_NeikiAnalytics.exe	92
PID 4020 wrote to memory of 1688	4020	47517cc843ec405305007bd7b8ee8d50_NeikiAnalytics.exe	92

C:\Users\Admin\AppData\Local\Temp\47517cc843ec405305007bd7b8ee8d50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\47517cc843ec405305007bd7b8ee8d50_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2696
- C:\FilesZ4\abodloc.exe
  C:\FilesZ4\abodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesZ4\abodloc.exe

Filesize
2.0MB

MD5
07fc861ce3299bf3b944bc3a46ef72c7

SHA1
1bc221a6e7421388fe708b55fddbb6d4731784b6

SHA256
472b98256750e9fb838a79f2969bbf461ec280c14142c9807350a9665860e0e4

SHA512
ed66bd22c92d89296d8dd5e5c57fd0e6e61ed62cbee4d9dcaa64f7fc7be101e7fe3dd658389d1550bdf44a63a1cbd0c3a7a8ec27947bce431a2dbb3eda5fb9b5

Download Submit
C:\FilesZ4\abodloc.exe

Filesize
3.2MB

MD5
fd01cbaf5db178feedea592e093990fc

SHA1
fbf69e38863a54dca2dcae8af5a209a7270ddcdc

SHA256
38ee97d0d88c3501405a3cf0c2dcd1de60dfc687ccb2eed0a6f6b0cafa3d9b60

SHA512
187d42cebd39b799d939a5aa84aeaba367a1f1b14e3c4962d4be0708169be717da7da37ae07d6aecaa5c3e0e060d9a854f845d79425d6a0e5dc7faa01c8857d8

Download Submit
C:\MintJG\boddevloc.exe

Filesize
16KB

MD5
24674a4221b2a5f563b5921775a6db87

SHA1
612dbf402d0523eac9869b03c3b133cf3147221b

SHA256
930a97a6ab438f620eff9cc8cb02800f575011c6767a9107c230ce10cfd58b36

SHA512
022ccf72647f217ff55d6e55e15ec72480443f22add39ba7f19b7caf6d020401a10340e0e231ca558d07498ad2ca5673616d7310e2c811034ff6ef0f02eec4c1

Download Submit
C:\MintJG\boddevloc.exe

Filesize
3.2MB

MD5
b7adbeb2a1c1ae3d35af923fee46db22

SHA1
cb4dec7a17b363784c02d4911a0003b5d43f2f9f

SHA256
019b06e278f4340751f4f1ac8dd8cce462ba63e45b28a0683807cdb2f07ddf4f

SHA512
16bb78f00b0f8e5b3a3b4c29b024e0a82d4326d315252a28fa2d1d301d583c138b7bd63db3a73790784bb2b330b9416df52cc44fb81a37ae7815ae5c4181b974

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
38a0de30a2e9675d1c5d0791822c51ed

SHA1
ea3c988aac677a417390f49ee1e4207de03bfe46

SHA256
737fbb560a2317682bb7597e7d98a232456fe0f71083643a23aa746b50f88b1a

SHA512
70b2ec123accf9369346c17d2cb837dc7d5889e6ba4545e5a4c015c80202beb58955a93cd87671f66d56bf733a33020509df4f98663b161740ca8d181df94828

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
d0b049f4aec1ef95b4dd3c75a4193d3d

SHA1
09ddd8f90c043b05a439529017d1c4f30b9e3202

SHA256
f21a82dbc91baf536297c133893068c08ddc165e7fc8ffbbe193133fc43d69f1

SHA512
3efc193d35bd14322efcd3df1166e8855fe4d571b445c78baa606db208aeac7f61e8e8855064ff7908b8de9af8fcd82c217655e1506cb86599f520c382fc301d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
3.2MB

MD5
b2fbf40b2f468021ce4e3f96c4b3fdb9

SHA1
c09f0a60911bbfa812a238f16f214aa11c112e9e

SHA256
22fa70f008024148fe305f20b03044d388910a97fb481599a46b0ef4f4f286d5

SHA512
cca409c16df44211838c19d50f7dea68d3e502de5907bc9218cd77c5c366b0c6eca4491799fe1516485f308c4b33e2eb879a96bf9b5e166b0b2a62aa359db391

Download Submit