c975f0e85da9c5ffeafb0ecf719035bdae93d9fd6557c1df412e947b2343b751

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2024, 14:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

637dbaa8c14c601e73b4dcb80e1a2520_NeikiAnalytics.exe
Size

3.9MB
MD5

637dbaa8c14c601e73b4dcb80e1a2520
SHA1

0cfd62b1656295fd68101a2ab56a60d5711ca102
SHA256

c975f0e85da9c5ffeafb0ecf719035bdae93d9fd6557c1df412e947b2343b751
SHA512

bf93eb0a71bea0b548980515aa77efaabca27bd5f6ba7fd85abb9f273c538462dc741af2af2b700640ccf136aa67273646506d81b5d54666eac16c5e08bc6041
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpNbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	637dbaa8c14c601e73b4dcb80e1a2520_NeikiAnalytics.exe

Executes dropped EXE 4 IoCs

pid	Process
1896	locabod.exe
1832	devbodsys.exe
2744	devbodsys.exe
2636	devbodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeZM\\devbodsys.exe"	637dbaa8c14c601e73b4dcb80e1a2520_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxNS\\dobasys.exe"	637dbaa8c14c601e73b4dcb80e1a2520_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3696	637dbaa8c14c601e73b4dcb80e1a2520_NeikiAnalytics.exe
3696	637dbaa8c14c601e73b4dcb80e1a2520_NeikiAnalytics.exe
3696	637dbaa8c14c601e73b4dcb80e1a2520_NeikiAnalytics.exe
3696	637dbaa8c14c601e73b4dcb80e1a2520_NeikiAnalytics.exe
1896	locabod.exe
1896	locabod.exe
1896	locabod.exe
1896	locabod.exe
1832	devbodsys.exe
1832	devbodsys.exe
2744	devbodsys.exe
2744	devbodsys.exe
1896	locabod.exe
1896	locabod.exe
1896	locabod.exe
1896	locabod.exe
2636	devbodsys.exe
2636	devbodsys.exe
1896	locabod.exe
1896	locabod.exe
2636	devbodsys.exe
2636	devbodsys.exe
1896	locabod.exe
1896	locabod.exe
2636	devbodsys.exe
2636	devbodsys.exe
1896	locabod.exe
1896	locabod.exe
2636	devbodsys.exe
2636	devbodsys.exe
1896	locabod.exe
1896	locabod.exe
2636	devbodsys.exe
2636	devbodsys.exe
1896	locabod.exe
1896	locabod.exe
2636	devbodsys.exe
2636	devbodsys.exe
1896	locabod.exe
1896	locabod.exe
2636	devbodsys.exe
2636	devbodsys.exe
1896	locabod.exe
1896	locabod.exe
2636	devbodsys.exe
2636	devbodsys.exe
1896	locabod.exe
1896	locabod.exe
2636	devbodsys.exe
2636	devbodsys.exe
1896	locabod.exe
1896	locabod.exe
2636	devbodsys.exe
2636	devbodsys.exe
1896	locabod.exe
1896	locabod.exe
2636	devbodsys.exe
2636	devbodsys.exe
1896	locabod.exe
1896	locabod.exe
2636	devbodsys.exe
2636	devbodsys.exe
1896	locabod.exe
1896	locabod.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3696 wrote to memory of 1896	3696	637dbaa8c14c601e73b4dcb80e1a2520_NeikiAnalytics.exe	90
PID 3696 wrote to memory of 1896	3696	637dbaa8c14c601e73b4dcb80e1a2520_NeikiAnalytics.exe	90
PID 3696 wrote to memory of 1896	3696	637dbaa8c14c601e73b4dcb80e1a2520_NeikiAnalytics.exe	90
PID 3696 wrote to memory of 1832	3696	637dbaa8c14c601e73b4dcb80e1a2520_NeikiAnalytics.exe	91
PID 3696 wrote to memory of 1832	3696	637dbaa8c14c601e73b4dcb80e1a2520_NeikiAnalytics.exe	91
PID 3696 wrote to memory of 1832	3696	637dbaa8c14c601e73b4dcb80e1a2520_NeikiAnalytics.exe	91
PID 1896 wrote to memory of 2744	1896	locabod.exe	92
PID 1896 wrote to memory of 2744	1896	locabod.exe	92
PID 1896 wrote to memory of 2744	1896	locabod.exe	92
PID 1896 wrote to memory of 2636	1896	locabod.exe	93
PID 1896 wrote to memory of 2636	1896	locabod.exe	93
PID 1896 wrote to memory of 2636	1896	locabod.exe	93

C:\Users\Admin\AppData\Local\Temp\637dbaa8c14c601e73b4dcb80e1a2520_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\637dbaa8c14c601e73b4dcb80e1a2520_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3696
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\AdobeZM\devbodsys.exe
    C:\AdobeZM\devbodsys.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2744
- - C:\AdobeZM\devbodsys.exe
    C:\AdobeZM\devbodsys.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2636
- C:\AdobeZM\devbodsys.exe
  C:\AdobeZM\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3764 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:3528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeZM\devbodsys.exe

Filesize
3.9MB

MD5
de07a0f76655e948440d0629449c9e35

SHA1
87c5f44a9f51eb14a012c704fae116424d131557

SHA256
e2dc8b0891d4f1bac1a9c834a3ab16b192350a8c8aea9f2b4b3edcdc260dfcc3

SHA512
576b1930854b1a11a384d5aa6eebc75cebeeb0c70406ecacc72f46a6224817c4874b855297c1c437535b5740c876744f1c1a0d6f57b09dc7613f58c04daa38be

Download Submit
C:\GalaxNS\dobasys.exe

Filesize
3.9MB

MD5
8abc63dbc977a5d4b101f20e19e8c3dc

SHA1
7388dd2b54a7cf7cd90a42c87f8ee526e48701b9

SHA256
38cab7e3b84ddd4a7bf890dd351026a8357aa1f962e04988ab5ced8726f0541f

SHA512
1b540771d006a9bc7dc573d143cfa83d94d5a1f1a0c0c40994c937b1ff63508a9322aa01c2a59ccaf2c605b8ea3903121c41ad53b3c98eafaaf81990a13c66e8

Download Submit
C:\GalaxNS\dobasys.exe

Filesize
3.9MB

MD5
64d0b06bbe3eaea43c4059e52cc49519

SHA1
61fb7acdf3e1c740e9d893743764d7d6bac42fda

SHA256
04019fce05fa39cd6b95ebdd833c84afa6764d225647ad2272450cd764318886

SHA512
cbaaf3784da494f325fd6ad4d50be87d6269d25552dbb928f8363fc3ae000b65de9a76d062a770d54cf6b41204c62441603c4de34e77117932710c099f8bc20a

Download Submit
C:\GalaxNS\dobasys.exe

Filesize
6KB

MD5
eca5ea25f6a32a95c09d2d11f140c43b

SHA1
fc7c4ffc46b345747cc079073a62c80c129f2442

SHA256
7d956fbd2f73b9d56dbb1fa91bb438857ce1495cd868cdc6d6daea38edfcff17

SHA512
27d28a94c6c9d88714e07d1c5d856b348aaffe7164a680aa4aa760c4a738cf9fed9f373ea895b3dfa3e80ea1b8702679ff32bafeb7e84ada4fe30ff30b1add61

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
f2a986276ecdaa149abfa54a932b22e5

SHA1
fd6906c94766c868cbab2afc7696bb1838e62e93

SHA256
e7a02494e3a5227cb50d8cdbc36ae8dbd56beb03f3cd2704db0d99ad2620686d

SHA512
15f65c26d51d33e4c5772d6e5eb46959ca126c4598744628cfc8f1eb2e36f17a57af8576fe21eeb5505a0b3de25490090afa2dfbec9fc2c0b06adf54128e5dea

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
d18ff4a4ac516950756a29da7a648842

SHA1
a7b40dc0ab1aea0df9c510dbcc8fc95cae3d3cff

SHA256
5e2f04f998f293a2438935a9efe7f4822a826d70ff9a1418cc5bcf470a998f56

SHA512
efa9305eaf8f297fbd392917667d553d4b1326861ab387ceff0fad44011861dbd7ebf4fdf71eb3cc27f71a5bb0aec77fce95a2f0b3199245b8b2b65a2d8b9988

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
3.9MB

MD5
806789dfede6505afe51248a3563bab5

SHA1
703a6794e5d465a60f186886cb8bbe8fe0c29c71

SHA256
fdc484b7ad9ef97826e6b84ec069c7e7a8ac3dd5ed54ff01595db696b93701d8

SHA512
d1d635492e393ff9b6792598b191831ef014970498ed69f9397c240865945ba6515a3321c9bee4028d3055f62367f857443fbaf6e6ff9d2b43a8fe24249b83e7

Download Submit