e0e2b21fada51f7e500b5ac7038e8954f9dc8f4edcb9070dd43af2fee6c6254a

Analysis

max time kernel
149s
max time network
127s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
09/06/2024, 23:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

044da423d619b5440b59eb43bff2cef0_NeikiAnalytics.exe
Size

3.6MB
MD5

044da423d619b5440b59eb43bff2cef0
SHA1

7f74483973a0cea084111814b7fb40a03fc6b6bd
SHA256

e0e2b21fada51f7e500b5ac7038e8954f9dc8f4edcb9070dd43af2fee6c6254a
SHA512

f4c79741f0dd8ccc6dd64bac7d1d1642ef0ef692a6e6ae5fdaa7a31da55dc56a70c5702c5bf5d045ae8f66735bf5417da324e11fd487eecba71e31572f29b87f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpHbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	044da423d619b5440b59eb43bff2cef0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2356	sysabod.exe
2200	devbodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2128	044da423d619b5440b59eb43bff2cef0_NeikiAnalytics.exe
2128	044da423d619b5440b59eb43bff2cef0_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotAB\\devbodec.exe"	044da423d619b5440b59eb43bff2cef0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintUE\\optiaec.exe"	044da423d619b5440b59eb43bff2cef0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2128	044da423d619b5440b59eb43bff2cef0_NeikiAnalytics.exe
2128	044da423d619b5440b59eb43bff2cef0_NeikiAnalytics.exe
2356	sysabod.exe
2200	devbodec.exe
2356	sysabod.exe
2200	devbodec.exe
2356	sysabod.exe
2200	devbodec.exe
2356	sysabod.exe
2200	devbodec.exe
2356	sysabod.exe
2200	devbodec.exe
2356	sysabod.exe
2200	devbodec.exe
2356	sysabod.exe
2200	devbodec.exe
2356	sysabod.exe
2200	devbodec.exe
2356	sysabod.exe
2200	devbodec.exe
2356	sysabod.exe
2200	devbodec.exe
2356	sysabod.exe
2200	devbodec.exe
2356	sysabod.exe
2200	devbodec.exe
2356	sysabod.exe
2200	devbodec.exe
2356	sysabod.exe
2200	devbodec.exe
2356	sysabod.exe
2200	devbodec.exe
2356	sysabod.exe
2200	devbodec.exe
2356	sysabod.exe
2200	devbodec.exe
2356	sysabod.exe
2200	devbodec.exe
2356	sysabod.exe
2200	devbodec.exe
2356	sysabod.exe
2200	devbodec.exe
2356	sysabod.exe
2200	devbodec.exe
2356	sysabod.exe
2200	devbodec.exe
2356	sysabod.exe
2200	devbodec.exe
2356	sysabod.exe
2200	devbodec.exe
2356	sysabod.exe
2200	devbodec.exe
2356	sysabod.exe
2200	devbodec.exe
2356	sysabod.exe
2200	devbodec.exe
2356	sysabod.exe
2200	devbodec.exe
2356	sysabod.exe
2200	devbodec.exe
2356	sysabod.exe
2200	devbodec.exe
2356	sysabod.exe
2200	devbodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2356	2128	044da423d619b5440b59eb43bff2cef0_NeikiAnalytics.exe	28
PID 2128 wrote to memory of 2356	2128	044da423d619b5440b59eb43bff2cef0_NeikiAnalytics.exe	28
PID 2128 wrote to memory of 2356	2128	044da423d619b5440b59eb43bff2cef0_NeikiAnalytics.exe	28
PID 2128 wrote to memory of 2356	2128	044da423d619b5440b59eb43bff2cef0_NeikiAnalytics.exe	28
PID 2128 wrote to memory of 2200	2128	044da423d619b5440b59eb43bff2cef0_NeikiAnalytics.exe	29
PID 2128 wrote to memory of 2200	2128	044da423d619b5440b59eb43bff2cef0_NeikiAnalytics.exe	29
PID 2128 wrote to memory of 2200	2128	044da423d619b5440b59eb43bff2cef0_NeikiAnalytics.exe	29
PID 2128 wrote to memory of 2200	2128	044da423d619b5440b59eb43bff2cef0_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\044da423d619b5440b59eb43bff2cef0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\044da423d619b5440b59eb43bff2cef0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2356
- C:\UserDotAB\devbodec.exe
  C:\UserDotAB\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintUE\optiaec.exe

Filesize
3.6MB

MD5
fc91e4169a23799febbd85e8a06550af

SHA1
059c3f1d9b75124efb99b712388df8236a1391f6

SHA256
0a199e2857d77411e4d329febdd04d1e2fc1866684e8536487b2f0fdc7c1fb05

SHA512
be25611d79f297fd3c885dc397c847e5efe787ff57d697b30ff21f4a41f6645bd9a9777bdfdd1db1ae571b0bd911b0218bdec2cd4d598824140f288104ecffd4

Download Submit
C:\UserDotAB\devbodec.exe

Filesize
3.6MB

MD5
2d776dcc0a52798a101fb2af70036f69

SHA1
3f185919536984570c51a2eff501f59022d006b4

SHA256
1ff928b3cf030b7253a1ab8327281d43d20fc462764c6e84e9d48eaf9825d132

SHA512
6183061c1d7c4853942bbc5d460ee64a42ea253e0fdd6e17496584184d12e6da054dd42603eaa54a39f5b5afadb358646db49eb7c7ddc9c27dd7a09c5b186fb3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
3e101eafbace6866693125174ff06fed

SHA1
6ff376a306077d71681ddffaf3b602e2c9d98fcd

SHA256
4cdaf4ffe82dd04202543d5aaaeda746efa07f9ca9da0498ae62bab274292886

SHA512
9fa118b4174d278818a77d474b47e45454d521da4becba516bc1f41609d70ed2b84618ea412ea648d6f27053b907c196cfaf487bcffad9ba665e8570f612b29a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
b347e97775876065343a74467a84dc6d

SHA1
5ebd9317deaf7611b2e755a59c1b4be1c7806ac8

SHA256
7ae87c09526f7d94bffb549e13d4d912887f617314cc2e3608b2acb4e736b07d

SHA512
7a6504e005c2e81ed6abcc1bca9bb8c0306ff36bb4f83ae613284d18aa678d5ed63262796ffb174cf5d23e32f3217ba31a5677f95b4bc482516eaa21f2d4e917

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
3.6MB

MD5
dbfe608b667b8c0722c48fb0226af3f4

SHA1
de0bf289123a6f707cf342374e2a825368c78306

SHA256
40fc302fcfa4a52a7e4dd003d6fc127c12df71a5eb04e1651f003f7c00f1509c

SHA512
53872ec2a05aa810d0bb180f4435d9dfafadabb2897b9c4f3916cc25dd0db866e19a24a29c2a0f3a144a54fe40e03c06cd136c87e4282035366091ed275d909b

Download Submit