51729f590d3eb4ca7d41c1617cc507e52766ea7e0ab095a74d5f5ff69fcb25db

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10/06/2024, 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1dae5603564f4a8ff932855d3ec7f590_NeikiAnalytics.exe
Size

2.6MB
MD5

1dae5603564f4a8ff932855d3ec7f590
SHA1

bec7a6c89894facb806eaef85c29683c1337079e
SHA256

51729f590d3eb4ca7d41c1617cc507e52766ea7e0ab095a74d5f5ff69fcb25db
SHA512

bcb0a962e6ca8d680e7300834245105ada05ed4dbdba9344f337d8c115335aa3793b0246c0d38a6081d318e08d178de43d7d11cb8c739e7b8ec1f3c76d17b0ca
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBVB/bS:sxX7QnxrloE5dpUpGb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	1dae5603564f4a8ff932855d3ec7f590_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1928	ecxdob.exe
2960	abodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2140	1dae5603564f4a8ff932855d3ec7f590_NeikiAnalytics.exe
2140	1dae5603564f4a8ff932855d3ec7f590_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZD7\\boddevsys.exe"	1dae5603564f4a8ff932855d3ec7f590_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvU6\\abodec.exe"	1dae5603564f4a8ff932855d3ec7f590_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2140	1dae5603564f4a8ff932855d3ec7f590_NeikiAnalytics.exe
2140	1dae5603564f4a8ff932855d3ec7f590_NeikiAnalytics.exe
1928	ecxdob.exe
2960	abodec.exe
1928	ecxdob.exe
2960	abodec.exe
1928	ecxdob.exe
2960	abodec.exe
1928	ecxdob.exe
2960	abodec.exe
1928	ecxdob.exe
2960	abodec.exe
1928	ecxdob.exe
2960	abodec.exe
1928	ecxdob.exe
2960	abodec.exe
1928	ecxdob.exe
2960	abodec.exe
1928	ecxdob.exe
2960	abodec.exe
1928	ecxdob.exe
2960	abodec.exe
1928	ecxdob.exe
2960	abodec.exe
1928	ecxdob.exe
2960	abodec.exe
1928	ecxdob.exe
2960	abodec.exe
1928	ecxdob.exe
2960	abodec.exe
1928	ecxdob.exe
2960	abodec.exe
1928	ecxdob.exe
2960	abodec.exe
1928	ecxdob.exe
2960	abodec.exe
1928	ecxdob.exe
2960	abodec.exe
1928	ecxdob.exe
2960	abodec.exe
1928	ecxdob.exe
2960	abodec.exe
1928	ecxdob.exe
2960	abodec.exe
1928	ecxdob.exe
2960	abodec.exe
1928	ecxdob.exe
2960	abodec.exe
1928	ecxdob.exe
2960	abodec.exe
1928	ecxdob.exe
2960	abodec.exe
1928	ecxdob.exe
2960	abodec.exe
1928	ecxdob.exe
2960	abodec.exe
1928	ecxdob.exe
2960	abodec.exe
1928	ecxdob.exe
2960	abodec.exe
1928	ecxdob.exe
2960	abodec.exe
1928	ecxdob.exe
2960	abodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 1928	2140	1dae5603564f4a8ff932855d3ec7f590_NeikiAnalytics.exe	29
PID 2140 wrote to memory of 1928	2140	1dae5603564f4a8ff932855d3ec7f590_NeikiAnalytics.exe	29
PID 2140 wrote to memory of 1928	2140	1dae5603564f4a8ff932855d3ec7f590_NeikiAnalytics.exe	29
PID 2140 wrote to memory of 1928	2140	1dae5603564f4a8ff932855d3ec7f590_NeikiAnalytics.exe	29
PID 2140 wrote to memory of 2960	2140	1dae5603564f4a8ff932855d3ec7f590_NeikiAnalytics.exe	30
PID 2140 wrote to memory of 2960	2140	1dae5603564f4a8ff932855d3ec7f590_NeikiAnalytics.exe	30
PID 2140 wrote to memory of 2960	2140	1dae5603564f4a8ff932855d3ec7f590_NeikiAnalytics.exe	30
PID 2140 wrote to memory of 2960	2140	1dae5603564f4a8ff932855d3ec7f590_NeikiAnalytics.exe	30

C:\Users\Admin\AppData\Local\Temp\1dae5603564f4a8ff932855d3ec7f590_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1dae5603564f4a8ff932855d3ec7f590_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1928
- C:\SysDrvU6\abodec.exe
  C:\SysDrvU6\abodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZD7\boddevsys.exe

Filesize
2.6MB

MD5
2920013ab3e0e85a3fd27ca75ff72b94

SHA1
40a216d1ef5fdec787abef1291e2ec2493d5d816

SHA256
beb98fb2ac1d8d7be6c0a52382718da8fb7b82fa5afd4abf9829b0e7f5911752

SHA512
9eb80a8c200466958410e63e647379aa0e75cd29f4dfc3d8c3b44059c1662356c4c5db13e5bfba2d071009487a6b2f282e4dcaa9d421ce4d58fa98aa79d698ea

Download Submit
C:\LabZD7\boddevsys.exe

Filesize
2.6MB

MD5
18c28831ef69904a964b38933c0bff19

SHA1
5f207970808c10c085c2a48fda3fc141d909d3a3

SHA256
b6c374237e6110274afb9e2452c91af0ad572a6a04eca2f90439cedfc17a5012

SHA512
71c6bdcd94de0c44154342e5df2aa4971d603ca00c73b4e3e08562cc0c1a8396ea91245af7609a914568662208ebe387ea8b5bacafdaaba171e922d1a431ea0a

Download Submit
C:\SysDrvU6\abodec.exe

Filesize
2.6MB

MD5
92cd515bbcaeb4c10b3e608e8441bba2

SHA1
8f3f84d982986914671286ed6708869d4775d1d0

SHA256
3231f751a016bd41ab3c0cd55619535bfdf4418a58db5e6fc6a12bba5262b5b8

SHA512
1616e6d34527c5288ec188b2623508d1cb1001c8c0df7fb692324fc46c2c28a4e9eed788ab3e6cba5df4d42026d2315837d5949efbb9a06ab661a9e9f5e5fd2d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
891c967c987ea982c1e60cc6bcc5a40c

SHA1
20e30f1ed605617491e7585ee90da44682c6ea4c

SHA256
2e08d9f0bc66b04d64a7534ec68d4cebd2d07523028fc084488779347111d1bc

SHA512
e7f7a3e258b6defd7dfdf02b952b0a9783a2b6337d57a23ca3e826f366ba1461c5a6a99cac66b40fea945367420628b6a8e39317f7a68e1d412348a2204f2be5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
0d4a04a3fcef2cc9f34eb8b30b62b418

SHA1
2edbc1c297dba9631efea4f9c9f32e55d0469f82

SHA256
0eb6cd237f3175a57fde98c1a121f8c73ff607981ef2fff9edd1576820d0d02d

SHA512
e5ac0f9243fbe9f0f2b8f2b461e81139edd42a6662b2b324040af5f92d9ad45ea6e70e92ef75f51dfe7f9d253f2be6e3ba5cf238fef7273394ad609720c9c7b6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
2.6MB

MD5
6c0c79c2eb7a202204aa2c6fe1a5e441

SHA1
9dfaad9f3d5b4030bdab343a2274e0f9d23fa7b6

SHA256
96b67cfadb38e4592629aa4aa763ddd1e7e95638fe4020d2d69a51a523bf517a

SHA512
193a2d76d9c91029bff32a6c27a384e4e3c5337f8b534904360015e77009d30bb60fbc887b613395b28604985a928b42cfde6636ba066b88d35a65f4b103991e

Download Submit