c8313fb5032c29149cad47613df688e852443c43ecc0973970a730b75320ead2

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
11/06/2024, 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2925f26d02f356876e8b9d57aff18080_NeikiAnalytics.exe
Size

3.2MB
MD5

2925f26d02f356876e8b9d57aff18080
SHA1

281743994296f416fbb08190468e697b842ddb0a
SHA256

c8313fb5032c29149cad47613df688e852443c43ecc0973970a730b75320ead2
SHA512

2b0e49677bcd486f231225b42628883aa3a6b9b49383bf6af82c140f60d6047749fc9715aa24715dd8d0c5224cde4869de92e8d362ccd3c5c8943c2a52694ddb
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpMbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	2925f26d02f356876e8b9d57aff18080_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2016	locdevdob.exe
2668	xbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2032	2925f26d02f356876e8b9d57aff18080_NeikiAnalytics.exe
2032	2925f26d02f356876e8b9d57aff18080_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotHY\\xbodsys.exe"	2925f26d02f356876e8b9d57aff18080_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintAI\\dobdevloc.exe"	2925f26d02f356876e8b9d57aff18080_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2032	2925f26d02f356876e8b9d57aff18080_NeikiAnalytics.exe
2032	2925f26d02f356876e8b9d57aff18080_NeikiAnalytics.exe
2016	locdevdob.exe
2668	xbodsys.exe
2016	locdevdob.exe
2668	xbodsys.exe
2016	locdevdob.exe
2668	xbodsys.exe
2016	locdevdob.exe
2668	xbodsys.exe
2016	locdevdob.exe
2668	xbodsys.exe
2016	locdevdob.exe
2668	xbodsys.exe
2016	locdevdob.exe
2668	xbodsys.exe
2016	locdevdob.exe
2668	xbodsys.exe
2016	locdevdob.exe
2668	xbodsys.exe
2016	locdevdob.exe
2668	xbodsys.exe
2016	locdevdob.exe
2668	xbodsys.exe
2016	locdevdob.exe
2668	xbodsys.exe
2016	locdevdob.exe
2668	xbodsys.exe
2016	locdevdob.exe
2668	xbodsys.exe
2016	locdevdob.exe
2668	xbodsys.exe
2016	locdevdob.exe
2668	xbodsys.exe
2016	locdevdob.exe
2668	xbodsys.exe
2016	locdevdob.exe
2668	xbodsys.exe
2016	locdevdob.exe
2668	xbodsys.exe
2016	locdevdob.exe
2668	xbodsys.exe
2016	locdevdob.exe
2668	xbodsys.exe
2016	locdevdob.exe
2668	xbodsys.exe
2016	locdevdob.exe
2668	xbodsys.exe
2016	locdevdob.exe
2668	xbodsys.exe
2016	locdevdob.exe
2668	xbodsys.exe
2016	locdevdob.exe
2668	xbodsys.exe
2016	locdevdob.exe
2668	xbodsys.exe
2016	locdevdob.exe
2668	xbodsys.exe
2016	locdevdob.exe
2668	xbodsys.exe
2016	locdevdob.exe
2668	xbodsys.exe
2016	locdevdob.exe
2668	xbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2016	2032	2925f26d02f356876e8b9d57aff18080_NeikiAnalytics.exe	28
PID 2032 wrote to memory of 2016	2032	2925f26d02f356876e8b9d57aff18080_NeikiAnalytics.exe	28
PID 2032 wrote to memory of 2016	2032	2925f26d02f356876e8b9d57aff18080_NeikiAnalytics.exe	28
PID 2032 wrote to memory of 2016	2032	2925f26d02f356876e8b9d57aff18080_NeikiAnalytics.exe	28
PID 2032 wrote to memory of 2668	2032	2925f26d02f356876e8b9d57aff18080_NeikiAnalytics.exe	29
PID 2032 wrote to memory of 2668	2032	2925f26d02f356876e8b9d57aff18080_NeikiAnalytics.exe	29
PID 2032 wrote to memory of 2668	2032	2925f26d02f356876e8b9d57aff18080_NeikiAnalytics.exe	29
PID 2032 wrote to memory of 2668	2032	2925f26d02f356876e8b9d57aff18080_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\2925f26d02f356876e8b9d57aff18080_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2925f26d02f356876e8b9d57aff18080_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2016
- C:\UserDotHY\xbodsys.exe
  C:\UserDotHY\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintAI\dobdevloc.exe

Filesize
560KB

MD5
94f1aced8bb19fec4a28ab80123a7235

SHA1
871a73c2e40524562337a634fe7b0268a4d3caa2

SHA256
fe8ff3e6525c0488bfff19c2c7d3067815efeec7cc3bcf842c48cd085c9f4895

SHA512
2f7072ba419ea11c653106eaf4d78c01da0ee936dcbbe63a0f6b62dbb3348c7bc382fd7f9dbf41747afcb66a5e771e91d4d792e1df166a65ede731a704d9817a

Download Submit
C:\MintAI\dobdevloc.exe

Filesize
3.2MB

MD5
baef79df8f46b4f4911d751145e3a13a

SHA1
34bdbb1a378780e2184336fdacf2b437b2fb259e

SHA256
27f682178a060a5c04fd4ef4b9c29f336fec2716a787e6f378fe369f20b05cd4

SHA512
524629aade0ccf8fdc4f6f220aa0b117a024d69109ce3475c69e8215279042c5bf26f9dafd3bd29b7f190530e3f3921d40238edcffc8bd6ee897d5dc41d84043

Download Submit
C:\UserDotHY\xbodsys.exe

Filesize
3.2MB

MD5
ffcf2af92931b2715a525ba432c9bdb5

SHA1
c968f69f61646793cc5e6a56095562525f6fd0a1

SHA256
d1ac204a039c5ca6449bd976fb990980319f2344e5f7f9f7f1c020a439ed660f

SHA512
f3e8ab09ac1eac394f84f67282153814a3e5d50ca5067973a3f555b7b5ebe742f4288829895108ba3f0b9b4d5eebdba7b6a9104d982f5271b57d210fc300486c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
4b2dc9e62e1091841855b128c8f8fab8

SHA1
597bf017c599b6e7c8a7d129af5a7f1d4d14095e

SHA256
3f916071239c2b84068f428b6929338319a328135cb348e07cdafab4c2c10f69

SHA512
f5419adf91a79660f9dcd3086dd9c553b24b97874111a5cf7ce2515bec043ddf9ccb28f0b06bfc690b5fe00dfd6accd9b6ce79683bf8fe730255c8775e62ec3a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
602c216af327cc6f99f01c9dcd9ac193

SHA1
81cf6e2d36d2462493f814462fe6e50314897535

SHA256
283e331f28621b61c1323d539cf8c8585e6037797cf18fc5a5de277e0dd0bb3d

SHA512
02d26ac70aa7315a000dd1798fa7d20b07ead2571fc6da1fd159eb61e20093912e1cd8c95274df936c95a1482dbe9a17386fe0ffa0347c391993f3a6dcdd86c9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
3.2MB

MD5
e375cf48d788a60ce2a7a845006c7465

SHA1
3ca490943251b532b8b1dd8b179df28b36e606dc

SHA256
f06316d489feb6bf882f61c84abb2ac61923c4efab80e6091f39665bdb995980

SHA512
a4f0ff95c6fe8d8865361dd4a05bc3870cc04572b5508c9e6feddf43d783aaa71c28257f7944a9396fca954d0a39ab1f87c5f73b71338b667680c9bf13b13b83

Download Submit