f32e7a23f724c65fa105ddc10f360f5d104df1c5eb03db789bc6c2a894139bd5

Analysis

max time kernel
150s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2024, 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7559547ccaeddcbcea9850347a04ab30_NeikiAnalytics.exe
Size

2.6MB
MD5

7559547ccaeddcbcea9850347a04ab30
SHA1

4a3fd39962741c4055ada58a2ecb338b82e6a05d
SHA256

f32e7a23f724c65fa105ddc10f360f5d104df1c5eb03db789bc6c2a894139bd5
SHA512

4f810ee3d0483feb68a0b9bb65c13b292960912a3dde5730234068489c583631ea42f30f945a08449972f8dc70703cbbf3b2facf227dc9a59956868be0e6be51
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUpCb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	7559547ccaeddcbcea9850347a04ab30_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2848	locadob.exe
3696	devbodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeI0\\devbodloc.exe"	7559547ccaeddcbcea9850347a04ab30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ9V\\optidevec.exe"	7559547ccaeddcbcea9850347a04ab30_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3988	7559547ccaeddcbcea9850347a04ab30_NeikiAnalytics.exe
3988	7559547ccaeddcbcea9850347a04ab30_NeikiAnalytics.exe
3988	7559547ccaeddcbcea9850347a04ab30_NeikiAnalytics.exe
3988	7559547ccaeddcbcea9850347a04ab30_NeikiAnalytics.exe
2848	locadob.exe
2848	locadob.exe
3696	devbodloc.exe
3696	devbodloc.exe
2848	locadob.exe
2848	locadob.exe
3696	devbodloc.exe
3696	devbodloc.exe
2848	locadob.exe
2848	locadob.exe
3696	devbodloc.exe
3696	devbodloc.exe
2848	locadob.exe
2848	locadob.exe
3696	devbodloc.exe
3696	devbodloc.exe
2848	locadob.exe
2848	locadob.exe
3696	devbodloc.exe
3696	devbodloc.exe
2848	locadob.exe
2848	locadob.exe
3696	devbodloc.exe
3696	devbodloc.exe
2848	locadob.exe
2848	locadob.exe
3696	devbodloc.exe
3696	devbodloc.exe
2848	locadob.exe
2848	locadob.exe
3696	devbodloc.exe
3696	devbodloc.exe
2848	locadob.exe
2848	locadob.exe
3696	devbodloc.exe
3696	devbodloc.exe
2848	locadob.exe
2848	locadob.exe
3696	devbodloc.exe
3696	devbodloc.exe
2848	locadob.exe
2848	locadob.exe
3696	devbodloc.exe
3696	devbodloc.exe
2848	locadob.exe
2848	locadob.exe
3696	devbodloc.exe
3696	devbodloc.exe
2848	locadob.exe
2848	locadob.exe
3696	devbodloc.exe
3696	devbodloc.exe
2848	locadob.exe
2848	locadob.exe
3696	devbodloc.exe
3696	devbodloc.exe
2848	locadob.exe
2848	locadob.exe
3696	devbodloc.exe
3696	devbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 2848	3988	7559547ccaeddcbcea9850347a04ab30_NeikiAnalytics.exe	88
PID 3988 wrote to memory of 2848	3988	7559547ccaeddcbcea9850347a04ab30_NeikiAnalytics.exe	88
PID 3988 wrote to memory of 2848	3988	7559547ccaeddcbcea9850347a04ab30_NeikiAnalytics.exe	88
PID 3988 wrote to memory of 3696	3988	7559547ccaeddcbcea9850347a04ab30_NeikiAnalytics.exe	89
PID 3988 wrote to memory of 3696	3988	7559547ccaeddcbcea9850347a04ab30_NeikiAnalytics.exe	89
PID 3988 wrote to memory of 3696	3988	7559547ccaeddcbcea9850347a04ab30_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\7559547ccaeddcbcea9850347a04ab30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7559547ccaeddcbcea9850347a04ab30_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2848
- C:\AdobeI0\devbodloc.exe
  C:\AdobeI0\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeI0\devbodloc.exe

Filesize
2.6MB

MD5
84270d8cbb0738206aaa57376a407a4c

SHA1
97042aebdc1402f313bf43b1550245b2222a8b50

SHA256
a3eb0c8e48101fb5ce186dd417cc3462975974c95c3704a63968ad8c5b3042ae

SHA512
1b982d9b1372f77224c51d384d723f2e1cb88224abcca6e23261475dfad9fad2f861025c5df7abe822c30bac7afd41931397e445c282f647d9a390327c4f2cc4

Download Submit
C:\LabZ9V\optidevec.exe

Filesize
998KB

MD5
187c0deedad14a9e056cb4c455740856

SHA1
786afebd80e775b2e7a43fd5e7f0d57a46d26f68

SHA256
05c11ebaf008f528ba0ffb6879f7fc3dd4c2cefff5ad059c56145349510cfe1c

SHA512
f2e5d03897d5229a0e302e95cc081e28e07ad56e7fb279cde8670ccd9431cef8df3f288824f975d3a7b72cad84c466a31a283a716b264be2aa009c934612ed1f

Download Submit
C:\LabZ9V\optidevec.exe

Filesize
98KB

MD5
e362ac1b3e165021903a0470076e32ac

SHA1
cb6e83235af6aee6437eb5bc62b6af7db435660d

SHA256
07f1fecdb19783d37d1bb3cd0407b73dc17bba3763127bd4fdb68b01816a11bd

SHA512
30d4eba752b4cdacc1c4346e17303bbd8748c3f26ed62a9fee9a8e8c379816f888c4ab6405cd1430221c54b6d4f5469ac674d23a65b6322687eaaed6096fa516

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
14a0f7282333352dce1e01fd73bc50a2

SHA1
5d008de71f7b2b2fb1c96e8be868b547c437fe6a

SHA256
c529ce111b189c209ac0eee028ab1ef1d7f04a6fc87822d13cd11c574ef574ba

SHA512
f3a828d725cdef6fc21ca6e1dcde645bcd8d768259f1d4c03de4d85aaa9d97b26bb7d19b44111d01911e9e96006404d8b6d0daf2088e5eed895b64bb3214f1ef

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
8cd1837ab7afb20cacf7a7b5fe4657bb

SHA1
2c8e74cbe4fcce89e06825d97e18b45495411a4f

SHA256
0d37735b8f32ed541e0982ddcee87e9da90330377440194c5e86aac76e2a0da5

SHA512
f9f5afdb9544d61e07eead8387100911fa1fe4e516033834131db74c00b732d99421eaed575f16af695224c770beada818b45e91dc11ca69c1fb76386afdee8e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
2.6MB

MD5
be3e9a493e8d19abb37594bc9946cea6

SHA1
77a31019664ab9207ec3301bcbf000f959e83b21

SHA256
f683150b86035c11f3276a627273b06c28be9884ec35c09141eec009498b30af

SHA512
b142910985aedda7217ce73df548235bbbeb6e75fe0c9fd066e478d5ac1c0e2432fca210b735397a560b375dde58c4334c0500b5e4aca23d7fedf08441c360ec

Download Submit