c9b575c20989a7875e5d5e11a4f09bd7f28fd8d3a3120ee4d38c085553a3b8a8

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
13-06-2024 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70503708e67e39244d617a40f0392970_NeikiAnalytics.exe
Size

3.1MB
MD5

70503708e67e39244d617a40f0392970
SHA1

5de933680a4b0d26847400588a8388eea2ad7a37
SHA256

c9b575c20989a7875e5d5e11a4f09bd7f28fd8d3a3120ee4d38c085553a3b8a8
SHA512

d9f59f40e0fb2ebeb6ad0036fc74805fa69f405f021e5bd5d3995b393da244376e46135128330d0288bb105c2ccde0e672d88c530a2f48d73142f6c936fd650d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB9B/bSqz8b6LNXJqI20:sxX7QnxrloE5dpUpmbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	70503708e67e39244d617a40f0392970_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1340	locadob.exe
2884	adobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2060	70503708e67e39244d617a40f0392970_NeikiAnalytics.exe
2060	70503708e67e39244d617a40f0392970_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocDR\\adobloc.exe"	70503708e67e39244d617a40f0392970_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZXT\\bodasys.exe"	70503708e67e39244d617a40f0392970_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2060	70503708e67e39244d617a40f0392970_NeikiAnalytics.exe
2060	70503708e67e39244d617a40f0392970_NeikiAnalytics.exe
1340	locadob.exe
2884	adobloc.exe
1340	locadob.exe
2884	adobloc.exe
1340	locadob.exe
2884	adobloc.exe
1340	locadob.exe
2884	adobloc.exe
1340	locadob.exe
2884	adobloc.exe
1340	locadob.exe
2884	adobloc.exe
1340	locadob.exe
2884	adobloc.exe
1340	locadob.exe
2884	adobloc.exe
1340	locadob.exe
2884	adobloc.exe
1340	locadob.exe
2884	adobloc.exe
1340	locadob.exe
2884	adobloc.exe
1340	locadob.exe
2884	adobloc.exe
1340	locadob.exe
2884	adobloc.exe
1340	locadob.exe
2884	adobloc.exe
1340	locadob.exe
2884	adobloc.exe
1340	locadob.exe
2884	adobloc.exe
1340	locadob.exe
2884	adobloc.exe
1340	locadob.exe
2884	adobloc.exe
1340	locadob.exe
2884	adobloc.exe
1340	locadob.exe
2884	adobloc.exe
1340	locadob.exe
2884	adobloc.exe
1340	locadob.exe
2884	adobloc.exe
1340	locadob.exe
2884	adobloc.exe
1340	locadob.exe
2884	adobloc.exe
1340	locadob.exe
2884	adobloc.exe
1340	locadob.exe
2884	adobloc.exe
1340	locadob.exe
2884	adobloc.exe
1340	locadob.exe
2884	adobloc.exe
1340	locadob.exe
2884	adobloc.exe
1340	locadob.exe
2884	adobloc.exe
1340	locadob.exe
2884	adobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 1340	2060	70503708e67e39244d617a40f0392970_NeikiAnalytics.exe	28
PID 2060 wrote to memory of 1340	2060	70503708e67e39244d617a40f0392970_NeikiAnalytics.exe	28
PID 2060 wrote to memory of 1340	2060	70503708e67e39244d617a40f0392970_NeikiAnalytics.exe	28
PID 2060 wrote to memory of 1340	2060	70503708e67e39244d617a40f0392970_NeikiAnalytics.exe	28
PID 2060 wrote to memory of 2884	2060	70503708e67e39244d617a40f0392970_NeikiAnalytics.exe	29
PID 2060 wrote to memory of 2884	2060	70503708e67e39244d617a40f0392970_NeikiAnalytics.exe	29
PID 2060 wrote to memory of 2884	2060	70503708e67e39244d617a40f0392970_NeikiAnalytics.exe	29
PID 2060 wrote to memory of 2884	2060	70503708e67e39244d617a40f0392970_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\70503708e67e39244d617a40f0392970_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\70503708e67e39244d617a40f0392970_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1340
- C:\IntelprocDR\adobloc.exe
  C:\IntelprocDR\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocDR\adobloc.exe

Filesize
3.1MB

MD5
7936eb554c1816fe4be4e0e431668510

SHA1
43f5fb85dee0176be3fd8d48f74a2a75c0bef5e1

SHA256
81e51b805bdc7c1e58126a37755cbb58ad94c66d51c20bcdad716155030562e3

SHA512
c3ff8f50f1b89ef1424cc4df45f2cfa45b49417998de812f17bc2582ff0d2796f02955ec443edc31cf55121f6ff9c54e96692182ace856e886bfe142f0c86a42

Download Submit
C:\LabZXT\bodasys.exe

Filesize
1.4MB

MD5
768b7c1adc01027504fd959757b0bf15

SHA1
9f0c8b40a15701693459080683f173bba39de50a

SHA256
78d0c16f6dd2e8b483a538bc99b4fd63974c43c4d126e1321401b1ed7753237a

SHA512
793658598bc7a831ec8bb83f3249c1028965a4a85116e3a84a3923a4ad7adccb92f3ed87c37699d8b6122395e2591524333bc2c56afa8adf0f3056be5fce0f43

Download Submit
C:\LabZXT\bodasys.exe

Filesize
22KB

MD5
5e5f77e5a8bba3451205d15924cd85c2

SHA1
8dc6f4f6076d3abc71b64626f34bc06239e824c1

SHA256
2cf5e62848375af5dfdbd237976b8bf53195ad0533a458694c774a09a1c5e622

SHA512
865f8b9eafb8e98c518d4157321733e2b3a01e26eabd18a9260225be73c393ad11ddb23be1bcb85fe39df817842f35624262bcbe170f66b1887924be42e32d37

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
b1db7a664897205c73c197e1599b19e7

SHA1
9dcb0ccd281d749fcba265b8993f7467c204d6a2

SHA256
ab997b37462fa216e7b06b1a1c11f994bb891273573b6341458a23966c5c5563

SHA512
553fa92c5c9548f4dcdfe65544bec18f940836e7f7d8c4b29f44d4005eed94acb58e9c2052ea9d48373c341793363dcb73559dd95642583a44ef8637656c02c7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
e2256f5c835a2e2dbbb6e3fd8585fd1a

SHA1
1435f95a17a3116288f3de770c41e0e56c1d0c16

SHA256
9337a3b0b8c614674714cf812f124609c6167d30f49d4b9604ddac30e1235d95

SHA512
742d6d5b7586346a7e41e2226b1c77859e8c7ec1fe480b066df70688d00d9adcd877e5ca89922cc17fefbff0bcb9b3f49ccffac9f60d6c043617b2ca4f392ab4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
3.1MB

MD5
5b6def79c7b407fa82aea670571a48d8

SHA1
d5576b5ca09693f005a4a0f8896fe5883d841dbb

SHA256
9d52e6e53873e2cde128a12636ac7d6ebf37285e3f5330e96c7e520721bd7439

SHA512
e26011f98e60bba8812b74387b291bef615a5f7d80c77baff431d472f74fc19f84de5187ea91c3dd9e3bd5b5a2acbcb4134c152e9cae3733e73aba41f5abfc80

Download Submit