6af55b382376b0361de06e473138e83244bf168f8227f7e5832a1a758523f046

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
13/06/2024, 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77e4ada3a403c619f1653699d75fe010_NeikiAnalytics.exe
Size

3.2MB
MD5

77e4ada3a403c619f1653699d75fe010
SHA1

8d3e762934d780c8267949099bf10096f76a415a
SHA256

6af55b382376b0361de06e473138e83244bf168f8227f7e5832a1a758523f046
SHA512

9d81f386a63309321a70be502979351d6fd9ff70e7760cf20a21f18f0904da727011bdf67b31216f3f8002026cec35d2dc40abd1d5b48098acd6da728a242dc5
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBgB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp/bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	77e4ada3a403c619f1653699d75fe010_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1724	ecdevbod.exe
2924	adobec.exe

Loads dropped DLL 2 IoCs

pid	Process
1916	77e4ada3a403c619f1653699d75fe010_NeikiAnalytics.exe
1916	77e4ada3a403c619f1653699d75fe010_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot1U\\adobec.exe"	77e4ada3a403c619f1653699d75fe010_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax3X\\bodaec.exe"	77e4ada3a403c619f1653699d75fe010_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1916	77e4ada3a403c619f1653699d75fe010_NeikiAnalytics.exe
1916	77e4ada3a403c619f1653699d75fe010_NeikiAnalytics.exe
1724	ecdevbod.exe
2924	adobec.exe
1724	ecdevbod.exe
2924	adobec.exe
1724	ecdevbod.exe
2924	adobec.exe
1724	ecdevbod.exe
2924	adobec.exe
1724	ecdevbod.exe
2924	adobec.exe
1724	ecdevbod.exe
2924	adobec.exe
1724	ecdevbod.exe
2924	adobec.exe
1724	ecdevbod.exe
2924	adobec.exe
1724	ecdevbod.exe
2924	adobec.exe
1724	ecdevbod.exe
2924	adobec.exe
1724	ecdevbod.exe
2924	adobec.exe
1724	ecdevbod.exe
2924	adobec.exe
1724	ecdevbod.exe
2924	adobec.exe
1724	ecdevbod.exe
2924	adobec.exe
1724	ecdevbod.exe
2924	adobec.exe
1724	ecdevbod.exe
2924	adobec.exe
1724	ecdevbod.exe
2924	adobec.exe
1724	ecdevbod.exe
2924	adobec.exe
1724	ecdevbod.exe
2924	adobec.exe
1724	ecdevbod.exe
2924	adobec.exe
1724	ecdevbod.exe
2924	adobec.exe
1724	ecdevbod.exe
2924	adobec.exe
1724	ecdevbod.exe
2924	adobec.exe
1724	ecdevbod.exe
2924	adobec.exe
1724	ecdevbod.exe
2924	adobec.exe
1724	ecdevbod.exe
2924	adobec.exe
1724	ecdevbod.exe
2924	adobec.exe
1724	ecdevbod.exe
2924	adobec.exe
1724	ecdevbod.exe
2924	adobec.exe
1724	ecdevbod.exe
2924	adobec.exe
1724	ecdevbod.exe
2924	adobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 1724	1916	77e4ada3a403c619f1653699d75fe010_NeikiAnalytics.exe	28
PID 1916 wrote to memory of 1724	1916	77e4ada3a403c619f1653699d75fe010_NeikiAnalytics.exe	28
PID 1916 wrote to memory of 1724	1916	77e4ada3a403c619f1653699d75fe010_NeikiAnalytics.exe	28
PID 1916 wrote to memory of 1724	1916	77e4ada3a403c619f1653699d75fe010_NeikiAnalytics.exe	28
PID 1916 wrote to memory of 2924	1916	77e4ada3a403c619f1653699d75fe010_NeikiAnalytics.exe	29
PID 1916 wrote to memory of 2924	1916	77e4ada3a403c619f1653699d75fe010_NeikiAnalytics.exe	29
PID 1916 wrote to memory of 2924	1916	77e4ada3a403c619f1653699d75fe010_NeikiAnalytics.exe	29
PID 1916 wrote to memory of 2924	1916	77e4ada3a403c619f1653699d75fe010_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\77e4ada3a403c619f1653699d75fe010_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\77e4ada3a403c619f1653699d75fe010_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1724
- C:\UserDot1U\adobec.exe
  C:\UserDot1U\adobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax3X\bodaec.exe

Filesize
229KB

MD5
fa9b8b724a6a540b7a17d0e50307777b

SHA1
70d5850c6ad692fbbf1544776600b9b29881c546

SHA256
9474c9f98969ada1d1fe8fb238002e9f52dc9ce505c0e69708125c4540544387

SHA512
f68d3ec0570adbef8102d3cc246d1f4b59d1af876dd6757681ab6476af06188402f65ce9230659abf405a070cf1efb10d97f1f0576a5ed381d7688617f69200d

Download Submit
C:\Galax3X\bodaec.exe

Filesize
3.2MB

MD5
d0ca77eb5893d096048d9a03d508558c

SHA1
0e241fb08c2261b3948a47464b909a1f67bd5e61

SHA256
b458a1f6fe23fed49a40c06e997c12b2648bab68671d7e3252758bcc20bf7175

SHA512
a72dbacddd39f17fe3523479e6e4194f545e0c5a464716b3bfcf9218f1f3de834dfe8ae7dfdab4f7ef4c17cf14ae6c3595e8158f941c2535f019b6a6a7109769

Download Submit
C:\UserDot1U\adobec.exe

Filesize
3.2MB

MD5
af5bbed07463db246cb16315998cc7f9

SHA1
bd1ca708c0d66fcaf3dc04471faa0ddf3c91cb11

SHA256
e95a271dea6603d21833ccc78d7f9d9e3be7d6f4bb03da3e4e3e5ea273355036

SHA512
45262f21d011f4ffaba9d9d9c18e184e868454f3799d533368cd5e26a9c27c6c34e0bb9b9530a46fd9bcd74958977fa8f8aafb5bef301abf89623e255d9a5f59

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
111dd76b4cf392461c2537d4f9bd7002

SHA1
4cd449c469e2938c2870af0e7bf2b6b0598508a0

SHA256
a0197afb1b4df43472f3aae7de1f8f649a1e9cf481861d859247d30a5540b241

SHA512
484de7a3e103b8c2848c5d4af412117303f5de5392d7b10ffca7041c110a29169380e9ddc89667f41b907c18d3e33c2a0170cc7a957ab4c4d943590c782b2068

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
66e4ef3c782d3734f2f71801e75df001

SHA1
202df11ddc6582ae2137beb368982b008cc27993

SHA256
0d8a44f7d6be6f75a2a891ba4aa1b6b0350024b917ca5763103a70a62689a45b

SHA512
cd829082c5c7f080d9361ae4d175a7eeac7a8db500ddf8823b54cb364ee127af36d855f5982837ebf997064064b8a7ba78aa7496807d185c5fa1506ed8d81230

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
3.2MB

MD5
29e20af860b0fe7e141fa5b4b7828bb6

SHA1
ed62ed19be73330d0c82d961ba8c3acc9cb6787c

SHA256
4c2a9063b773d8122995fe9d62871f57260453f2239b8b53952cdb6b0a363b1c

SHA512
18a84f22913e047e40741f2ef743bad10ca34b8b0b5dcbd3595f3951dce54fbea8d01f75000192f349fb059594e8b90a2260949a83dcb3a82cdb5858722416d5

Download Submit