382fa924885a54e62febfc7a0788cee7951a63590778694d54b730c54137a880

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c37edcd44a81ce59acc6555499d8ce0_NeikiAnalytics.exe
Size

4.1MB
MD5

4c37edcd44a81ce59acc6555499d8ce0
SHA1

c352e150e2d4d6cff5d280ed2d6f9d529042360c
SHA256

382fa924885a54e62febfc7a0788cee7951a63590778694d54b730c54137a880
SHA512

bab6baeb680f77fcde60eb358bf6b1960aa36dd9bee46ea10914bb2dce8e43000739f98843a6480e3b103de4c08d12531c57b255232aeaebbd6964059b67d83a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LByB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpRbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	4c37edcd44a81ce59acc6555499d8ce0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2988	sysdevdob.exe
1580	xbodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotMP\\xbodsys.exe"	4c37edcd44a81ce59acc6555499d8ce0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidRD\\dobasys.exe"	4c37edcd44a81ce59acc6555499d8ce0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3888	4c37edcd44a81ce59acc6555499d8ce0_NeikiAnalytics.exe
3888	4c37edcd44a81ce59acc6555499d8ce0_NeikiAnalytics.exe
3888	4c37edcd44a81ce59acc6555499d8ce0_NeikiAnalytics.exe
3888	4c37edcd44a81ce59acc6555499d8ce0_NeikiAnalytics.exe
2988	sysdevdob.exe
2988	sysdevdob.exe
1580	xbodsys.exe
1580	xbodsys.exe
2988	sysdevdob.exe
2988	sysdevdob.exe
1580	xbodsys.exe
1580	xbodsys.exe
2988	sysdevdob.exe
2988	sysdevdob.exe
1580	xbodsys.exe
1580	xbodsys.exe
2988	sysdevdob.exe
2988	sysdevdob.exe
1580	xbodsys.exe
1580	xbodsys.exe
2988	sysdevdob.exe
2988	sysdevdob.exe
1580	xbodsys.exe
1580	xbodsys.exe
2988	sysdevdob.exe
2988	sysdevdob.exe
1580	xbodsys.exe
1580	xbodsys.exe
2988	sysdevdob.exe
2988	sysdevdob.exe
1580	xbodsys.exe
1580	xbodsys.exe
2988	sysdevdob.exe
2988	sysdevdob.exe
1580	xbodsys.exe
1580	xbodsys.exe
2988	sysdevdob.exe
2988	sysdevdob.exe
1580	xbodsys.exe
1580	xbodsys.exe
2988	sysdevdob.exe
2988	sysdevdob.exe
1580	xbodsys.exe
1580	xbodsys.exe
2988	sysdevdob.exe
2988	sysdevdob.exe
1580	xbodsys.exe
1580	xbodsys.exe
2988	sysdevdob.exe
2988	sysdevdob.exe
1580	xbodsys.exe
1580	xbodsys.exe
2988	sysdevdob.exe
2988	sysdevdob.exe
1580	xbodsys.exe
1580	xbodsys.exe
2988	sysdevdob.exe
2988	sysdevdob.exe
1580	xbodsys.exe
1580	xbodsys.exe
2988	sysdevdob.exe
2988	sysdevdob.exe
1580	xbodsys.exe
1580	xbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 2988	3888	4c37edcd44a81ce59acc6555499d8ce0_NeikiAnalytics.exe	84
PID 3888 wrote to memory of 2988	3888	4c37edcd44a81ce59acc6555499d8ce0_NeikiAnalytics.exe	84
PID 3888 wrote to memory of 2988	3888	4c37edcd44a81ce59acc6555499d8ce0_NeikiAnalytics.exe	84
PID 3888 wrote to memory of 1580	3888	4c37edcd44a81ce59acc6555499d8ce0_NeikiAnalytics.exe	85
PID 3888 wrote to memory of 1580	3888	4c37edcd44a81ce59acc6555499d8ce0_NeikiAnalytics.exe	85
PID 3888 wrote to memory of 1580	3888	4c37edcd44a81ce59acc6555499d8ce0_NeikiAnalytics.exe	85

C:\Users\Admin\AppData\Local\Temp\4c37edcd44a81ce59acc6555499d8ce0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4c37edcd44a81ce59acc6555499d8ce0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2988
- C:\UserDotMP\xbodsys.exe
  C:\UserDotMP\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotMP\xbodsys.exe

Filesize
4.1MB

MD5
1257614839d583eeefb623803a26afb5

SHA1
404c7ef878c3606c9ef9afb359f40a2557cc1ef8

SHA256
4cf80a4271f46c7e99997f3492ff5f381657fd32ed83e4a0c4aac3a87291364c

SHA512
ca3164022da0b0cc8c8f2857473fbc18fdddb6a940486590846b457429fc106f37da5118cf3106635b6b417d33c023092774526ec5a54780742969687818a10a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
b5e93858082829b4813b946780b3f98e

SHA1
08d000586ce95bdfec0761add0bffab4e6ec2e87

SHA256
c54d537c7e1420198e31b36d773cb0888455fd206fdc618c9b7469e99cc7c5bf

SHA512
0a5fec52d7b195cb55b88431ed35223c2b79d1a22e8059e07fb3b8bda7d1dd565608560bae9e32d79f32cd08e9b90419681fe94503d57c618cba8de6f9fddb18

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
a24b1893e3aa3e0d1d48043332c9fa90

SHA1
fbdf4688a6aa9d0b87ccc22ee4574abd6c95efa1

SHA256
6f80914426baa4a1b9ddd1ffdeec1c43e2dfb3640c2d5ee3581de44e2e10a3d9

SHA512
bc2d4b628ad0ecc57a0ff937b952bc041d0e89a7822188884af2d92ae7d538b8d4bd9b8e179f52532e4aa00f165827a77247f4815a40fb0afc478784a764c001

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
4.1MB

MD5
d28ebe26327374404c42c4fbb38e0ac2

SHA1
3f9e89bbdccf8f938639d7cfdf2b4443c45908ac

SHA256
e6a76f45cdd413aa9b44bc0964f98344bdad5555a4488f28936e057fa0d3ae1c

SHA512
dfe8cd4aade7fc71af78a0d3cc76b662502f9832343ebd2773c56f65d4fa8059ef9315229c4ed37f7398cb29e9e0d3fc0393bd39b68c6a2b19b28d9b1886691e

Download Submit
C:\VidRD\dobasys.exe

Filesize
2.0MB

MD5
2456e825ceeedb20f71206165d49e947

SHA1
890f9632fef2a6bf43a9dfd735746c09de658961

SHA256
bed445e013cfb98c10918a7d597b299d1361eedd9c130606df15e64bf7cc7606

SHA512
970e403d499e2e6ce89292e5e79ed790e0a90bd1db7ff84e7bb8662441954b77395552a9eff23069355d32fb3163ba55b4761c48c45bc8f4ad37465dad63e20e

Download Submit
C:\VidRD\dobasys.exe

Filesize
4.1MB

MD5
2ad269abeb72deaa1ae571c7edcb6348

SHA1
8c2342740f6983521615694514590319268f0bae

SHA256
52abb2434d653c4546e8b5375ae93805ceb59f173ce9a9e3caec74458c2d51ed

SHA512
f226ac56e105c6d56e9b75edf899977cfca06919f1e8ca7f892b80416d008a2c576f43a83441384d57366360d1fc5c3530dcb8da446ed6ee982965b600015144

Download Submit