532ab6ddd64dc4fd4115e63266461a112b0ab176e22e69206ae4faea55e9dc01

Analysis

max time kernel
150s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2024 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3448a24f5bb2ed1cf8032a67666b9200_NeikiAnalytics.exe
Size

3.0MB
MD5

3448a24f5bb2ed1cf8032a67666b9200
SHA1

ed15178ead400d41160e52081e8fb777e8cd7171
SHA256

532ab6ddd64dc4fd4115e63266461a112b0ab176e22e69206ae4faea55e9dc01
SHA512

668ea86b9703ee314510a01473bd5b6d053db9d87cea069fb533fd22e503a940ae4e03626f36981312dbc83b94f84b25750bb34694af36634c6327cae8961906
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBzB/bSqz8:sxX7QnxrloE5dpUpEbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	3448a24f5bb2ed1cf8032a67666b9200_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4508	locabod.exe
5112	xdobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeAA\\xdobec.exe"	3448a24f5bb2ed1cf8032a67666b9200_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxBJ\\boddevloc.exe"	3448a24f5bb2ed1cf8032a67666b9200_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2964	3448a24f5bb2ed1cf8032a67666b9200_NeikiAnalytics.exe
2964	3448a24f5bb2ed1cf8032a67666b9200_NeikiAnalytics.exe
2964	3448a24f5bb2ed1cf8032a67666b9200_NeikiAnalytics.exe
2964	3448a24f5bb2ed1cf8032a67666b9200_NeikiAnalytics.exe
4508	locabod.exe
4508	locabod.exe
5112	xdobec.exe
5112	xdobec.exe
4508	locabod.exe
4508	locabod.exe
5112	xdobec.exe
5112	xdobec.exe
4508	locabod.exe
4508	locabod.exe
5112	xdobec.exe
5112	xdobec.exe
4508	locabod.exe
4508	locabod.exe
5112	xdobec.exe
5112	xdobec.exe
4508	locabod.exe
4508	locabod.exe
5112	xdobec.exe
5112	xdobec.exe
4508	locabod.exe
4508	locabod.exe
5112	xdobec.exe
5112	xdobec.exe
4508	locabod.exe
4508	locabod.exe
5112	xdobec.exe
5112	xdobec.exe
4508	locabod.exe
4508	locabod.exe
5112	xdobec.exe
5112	xdobec.exe
4508	locabod.exe
4508	locabod.exe
5112	xdobec.exe
5112	xdobec.exe
4508	locabod.exe
4508	locabod.exe
5112	xdobec.exe
5112	xdobec.exe
4508	locabod.exe
4508	locabod.exe
5112	xdobec.exe
5112	xdobec.exe
4508	locabod.exe
4508	locabod.exe
5112	xdobec.exe
5112	xdobec.exe
4508	locabod.exe
4508	locabod.exe
5112	xdobec.exe
5112	xdobec.exe
4508	locabod.exe
4508	locabod.exe
5112	xdobec.exe
5112	xdobec.exe
4508	locabod.exe
4508	locabod.exe
5112	xdobec.exe
5112	xdobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 4508	2964	3448a24f5bb2ed1cf8032a67666b9200_NeikiAnalytics.exe	83
PID 2964 wrote to memory of 4508	2964	3448a24f5bb2ed1cf8032a67666b9200_NeikiAnalytics.exe	83
PID 2964 wrote to memory of 4508	2964	3448a24f5bb2ed1cf8032a67666b9200_NeikiAnalytics.exe	83
PID 2964 wrote to memory of 5112	2964	3448a24f5bb2ed1cf8032a67666b9200_NeikiAnalytics.exe	84
PID 2964 wrote to memory of 5112	2964	3448a24f5bb2ed1cf8032a67666b9200_NeikiAnalytics.exe	84
PID 2964 wrote to memory of 5112	2964	3448a24f5bb2ed1cf8032a67666b9200_NeikiAnalytics.exe	84

C:\Users\Admin\AppData\Local\Temp\3448a24f5bb2ed1cf8032a67666b9200_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3448a24f5bb2ed1cf8032a67666b9200_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4508
- C:\AdobeAA\xdobec.exe
  C:\AdobeAA\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeAA\xdobec.exe

Filesize
218KB

MD5
c53374e68dbb02ef8ebb31e80faa0763

SHA1
5285f03ae2bfc6ec5fd258e3836debe45e316cbf

SHA256
3e81a780e56b89e9b92c62841e0f977d239e6c080df0d1c5e8ec1d94a2892093

SHA512
bd0fd71d8022af50c2281c35f6af03f8795ad19941bbf4df85ea62d0bbb6b9494b117435d39a335f6be64b14c43d17d031bab1db029dd304f7a6aba064b56f51

Download Submit
C:\AdobeAA\xdobec.exe

Filesize
3.0MB

MD5
1107322a81aab7d4f85e719c8f19b0d8

SHA1
a18e01f292e935a35bdf362fa6ca073ab8786277

SHA256
7733780a95d053b73518120d4014dc497c1e9f69fd56fa4ca60f60ffff84aab8

SHA512
4dd0ab51c708ccd7f066689ec5042d78a5055f27648e116892e132a25fdc168191587a5b5dad7b9ad3ca77253a7641f2ce0b2befb6871bbfa43a28aa29baf7c0

Download Submit
C:\GalaxBJ\boddevloc.exe

Filesize
3.0MB

MD5
47caefa02290f6b20634a1bbf136d2f4

SHA1
eb2cfb051a4308968a94c1b19814cbbffe15c52c

SHA256
dc9edc46fbf60157ab70c3865e25804e4f3861b567060aac79f91d5d773d6a15

SHA512
a173f8b23aa19d7002d78cf18cbec7b6d23798e46b6136f4b0fcab60099990af9b3ae162c7b9f2c91da6688d9af1c99d7bab53fba92e01aaacb31d27105d5882

Download Submit
C:\GalaxBJ\boddevloc.exe

Filesize
67KB

MD5
86b01db4f90f54376ea6672bc4a251fc

SHA1
f36fb1db6970aa9b99ae64e926f4a3bb9e71c6a2

SHA256
6d486613d9399c811c0a99b36654dedac6a59628b8d032fd33ed5cd0cd7d3aa9

SHA512
717fec59e1b9bd2ca1465acef1984d009ee76a025bc920f2e9f2460104ccb7042c24cf943429dff06484795e8719f2beb45f227fe12b7dab92fb2ff2bd7213ce

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
39bc73aa9815b7bd9935c80a9942c8b6

SHA1
21a2d05609fe60582c790545ca873bfc63169608

SHA256
f3a7c0652df015ee31c4a5b66e7cbcb5c1ba84d11661a0e3806033d8a2aa21ec

SHA512
6ae3149abefae3b143f4d47ee48d8afa979bd9a5e324aa4a3328853835e109ab1a123791b20cfcc182052241f64ea14db047a6cb3b4400ea96c4cf2785ff3fce

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
3e259baebf462cfcf9559667d70b112a

SHA1
5a5fab0d59322d8d5b76d8eeaa89adddfda70979

SHA256
24e99e353ede39a336000a9e5dc98da860f30dd5b2200892055c143ed07f9746

SHA512
81569bb43fdf51ba2fa6d6f8c1340f6ddbf373f2f6c4634a36b7146b90b95c1cb50371e2332f03bc3291016704f7dc00e62fc81736ac03985c251af7a2231fc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
3.0MB

MD5
2c131db24d194b8162040152a30c22da

SHA1
8bfb9e8bcd629f46919629b10ba9d48b3cce9918

SHA256
a2a24478e3140a86b103ee8aa232b7b04efaba1b40d9ed81de559aee3a044660

SHA512
436906d22a82915347a3682e339a87eba180221aa511a58dc3293d06aab74551c78962a4a9370f1afd4d107f6a5c375ab37719bbe9edbf817e76576ef927d8a7

Download Submit