935453681f310399b50e23d7db0f93177ce33099b79f8355b7f2898ed2ae689f

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/06/2024, 23:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0ceca65c03d9c1a1657e3f12be7a2660_NeikiAnalytics.exe
Size

3.2MB
MD5

0ceca65c03d9c1a1657e3f12be7a2660
SHA1

3f2a67e3dec6f009e9a223fa5e6be6cee588bfb1
SHA256

935453681f310399b50e23d7db0f93177ce33099b79f8355b7f2898ed2ae689f
SHA512

a58dce716ac8f40b2308c89f7f0c2415e9ab93f8027bb1211aa00f150266ceda860bd9f6b31ee38c3f3fb5ad756f91fe8b822d28f356cefbf6d251b571965922
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpBbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	0ceca65c03d9c1a1657e3f12be7a2660_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1292	ecdevdob.exe
2200	xdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2168	0ceca65c03d9c1a1657e3f12be7a2660_NeikiAnalytics.exe
2168	0ceca65c03d9c1a1657e3f12be7a2660_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeGH\\xdobec.exe"	0ceca65c03d9c1a1657e3f12be7a2660_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintID\\bodaloc.exe"	0ceca65c03d9c1a1657e3f12be7a2660_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2168	0ceca65c03d9c1a1657e3f12be7a2660_NeikiAnalytics.exe
2168	0ceca65c03d9c1a1657e3f12be7a2660_NeikiAnalytics.exe
1292	ecdevdob.exe
2200	xdobec.exe
1292	ecdevdob.exe
2200	xdobec.exe
1292	ecdevdob.exe
2200	xdobec.exe
1292	ecdevdob.exe
2200	xdobec.exe
1292	ecdevdob.exe
2200	xdobec.exe
1292	ecdevdob.exe
2200	xdobec.exe
1292	ecdevdob.exe
2200	xdobec.exe
1292	ecdevdob.exe
2200	xdobec.exe
1292	ecdevdob.exe
2200	xdobec.exe
1292	ecdevdob.exe
2200	xdobec.exe
1292	ecdevdob.exe
2200	xdobec.exe
1292	ecdevdob.exe
2200	xdobec.exe
1292	ecdevdob.exe
2200	xdobec.exe
1292	ecdevdob.exe
2200	xdobec.exe
1292	ecdevdob.exe
2200	xdobec.exe
1292	ecdevdob.exe
2200	xdobec.exe
1292	ecdevdob.exe
2200	xdobec.exe
1292	ecdevdob.exe
2200	xdobec.exe
1292	ecdevdob.exe
2200	xdobec.exe
1292	ecdevdob.exe
2200	xdobec.exe
1292	ecdevdob.exe
2200	xdobec.exe
1292	ecdevdob.exe
2200	xdobec.exe
1292	ecdevdob.exe
2200	xdobec.exe
1292	ecdevdob.exe
2200	xdobec.exe
1292	ecdevdob.exe
2200	xdobec.exe
1292	ecdevdob.exe
2200	xdobec.exe
1292	ecdevdob.exe
2200	xdobec.exe
1292	ecdevdob.exe
2200	xdobec.exe
1292	ecdevdob.exe
2200	xdobec.exe
1292	ecdevdob.exe
2200	xdobec.exe
1292	ecdevdob.exe
2200	xdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 1292	2168	0ceca65c03d9c1a1657e3f12be7a2660_NeikiAnalytics.exe	28
PID 2168 wrote to memory of 1292	2168	0ceca65c03d9c1a1657e3f12be7a2660_NeikiAnalytics.exe	28
PID 2168 wrote to memory of 1292	2168	0ceca65c03d9c1a1657e3f12be7a2660_NeikiAnalytics.exe	28
PID 2168 wrote to memory of 1292	2168	0ceca65c03d9c1a1657e3f12be7a2660_NeikiAnalytics.exe	28
PID 2168 wrote to memory of 2200	2168	0ceca65c03d9c1a1657e3f12be7a2660_NeikiAnalytics.exe	29
PID 2168 wrote to memory of 2200	2168	0ceca65c03d9c1a1657e3f12be7a2660_NeikiAnalytics.exe	29
PID 2168 wrote to memory of 2200	2168	0ceca65c03d9c1a1657e3f12be7a2660_NeikiAnalytics.exe	29
PID 2168 wrote to memory of 2200	2168	0ceca65c03d9c1a1657e3f12be7a2660_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\0ceca65c03d9c1a1657e3f12be7a2660_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0ceca65c03d9c1a1657e3f12be7a2660_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1292
- C:\AdobeGH\xdobec.exe
  C:\AdobeGH\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeGH\xdobec.exe

Filesize
3.2MB

MD5
415594148f9465e2be9393cc4e131e03

SHA1
c71921004355df136e795e19f523c3d5091c66e2

SHA256
7dd856fe58866389be6d1a11708cdb69cec223b261491bb440b9b8bc73f189f4

SHA512
6eeadfbcd184d50c9ac21e2f405f129cc2d29270559c0e72a00becc23ec27171dd0d1eee138f68d8a30ac62213b9f66143d8b5e0e0879a5310efa22111a9a528

Download Submit
C:\MintID\bodaloc.exe

Filesize
3.2MB

MD5
ab7c883e76a1f04840948ea7f1504010

SHA1
2ee86c80fc6dfeff6213d59c0f0cf9bf449818d8

SHA256
ec76d1f03f86566242a2e214b20a6bf1a2f007df54e4390a18cba6a68aa55c45

SHA512
f438856a9b5cf54565d80132a580c4c125a49b50b9ced6992321a059951039752b2136e3e67456ca33dc13fb6fd516d41d55760ebd8e2fa43c0b525743e53289

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
96728e0557b313854bc37529d61b0fdf

SHA1
1b202f4dc11530d91fd517988703fedb0849e6fa

SHA256
0ba068059903d08c54b72efdf87e686d9b7689f3c51380aeebc7f33c8f4369f3

SHA512
0533a1aa325f2a76974f96064c2c632ccb3e0a09c97930834ae7b8ebfdb37e5bd40f387f2e7db798d94fcb33482d143c98813884ac328b8e4ebcad6f8a2b3808

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
5b0ac99b28959266a7fb712057dc9672

SHA1
83c661da09b340f512ddfdcd08d1e123f7d1fe0c

SHA256
d09be006fb4ec640d589ee86e57671ab606c0b67bf9bb070820f780a1cdb1ffc

SHA512
fa8e4ad20c7a77b824964478616e6cb4ea4c849f6a006d6c504b3bf53efef4195eb7ab6beb8880659ae137ac72b10db2f7e4ae92d6587d01639f2765ca44b745

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
3.2MB

MD5
2798bbb450e9fa8db03ab12bc2ab5513

SHA1
a626e911a6c140e5cb51977ff845720ab971cbc7

SHA256
3fa26b49c4b540642ee5715115afa90dd46b0ee680cb1fec5c55763ffb717bca

SHA512
05f316199d7ab6e262a187c052c79517c2f22cbbc1cd9430be48cf58eabd9f47497a998aaa2c7c282669c8f63bb78ecb74ce529b293d6f377dae0dac38ddfcfc

Download Submit