6af55b382376b0361de06e473138e83244bf168f8227f7e5832a1a758523f046

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2024, 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77e4ada3a403c619f1653699d75fe010_NeikiAnalytics.exe
Size

3.2MB
MD5

77e4ada3a403c619f1653699d75fe010
SHA1

8d3e762934d780c8267949099bf10096f76a415a
SHA256

6af55b382376b0361de06e473138e83244bf168f8227f7e5832a1a758523f046
SHA512

9d81f386a63309321a70be502979351d6fd9ff70e7760cf20a21f18f0904da727011bdf67b31216f3f8002026cec35d2dc40abd1d5b48098acd6da728a242dc5
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBgB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp/bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	77e4ada3a403c619f1653699d75fe010_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
3988	sysxbod.exe
4808	devdobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvHS\\devdobec.exe"	77e4ada3a403c619f1653699d75fe010_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidGZ\\dobdevec.exe"	77e4ada3a403c619f1653699d75fe010_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4612	77e4ada3a403c619f1653699d75fe010_NeikiAnalytics.exe
4612	77e4ada3a403c619f1653699d75fe010_NeikiAnalytics.exe
4612	77e4ada3a403c619f1653699d75fe010_NeikiAnalytics.exe
4612	77e4ada3a403c619f1653699d75fe010_NeikiAnalytics.exe
3988	sysxbod.exe
3988	sysxbod.exe
4808	devdobec.exe
4808	devdobec.exe
3988	sysxbod.exe
3988	sysxbod.exe
4808	devdobec.exe
4808	devdobec.exe
3988	sysxbod.exe
3988	sysxbod.exe
4808	devdobec.exe
4808	devdobec.exe
3988	sysxbod.exe
3988	sysxbod.exe
4808	devdobec.exe
4808	devdobec.exe
3988	sysxbod.exe
3988	sysxbod.exe
4808	devdobec.exe
4808	devdobec.exe
3988	sysxbod.exe
3988	sysxbod.exe
4808	devdobec.exe
4808	devdobec.exe
3988	sysxbod.exe
3988	sysxbod.exe
4808	devdobec.exe
4808	devdobec.exe
3988	sysxbod.exe
3988	sysxbod.exe
4808	devdobec.exe
4808	devdobec.exe
3988	sysxbod.exe
3988	sysxbod.exe
4808	devdobec.exe
4808	devdobec.exe
3988	sysxbod.exe
3988	sysxbod.exe
4808	devdobec.exe
4808	devdobec.exe
3988	sysxbod.exe
3988	sysxbod.exe
4808	devdobec.exe
4808	devdobec.exe
3988	sysxbod.exe
3988	sysxbod.exe
4808	devdobec.exe
4808	devdobec.exe
3988	sysxbod.exe
3988	sysxbod.exe
4808	devdobec.exe
4808	devdobec.exe
3988	sysxbod.exe
3988	sysxbod.exe
4808	devdobec.exe
4808	devdobec.exe
3988	sysxbod.exe
3988	sysxbod.exe
4808	devdobec.exe
4808	devdobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 3988	4612	77e4ada3a403c619f1653699d75fe010_NeikiAnalytics.exe	85
PID 4612 wrote to memory of 3988	4612	77e4ada3a403c619f1653699d75fe010_NeikiAnalytics.exe	85
PID 4612 wrote to memory of 3988	4612	77e4ada3a403c619f1653699d75fe010_NeikiAnalytics.exe	85
PID 4612 wrote to memory of 4808	4612	77e4ada3a403c619f1653699d75fe010_NeikiAnalytics.exe	86
PID 4612 wrote to memory of 4808	4612	77e4ada3a403c619f1653699d75fe010_NeikiAnalytics.exe	86
PID 4612 wrote to memory of 4808	4612	77e4ada3a403c619f1653699d75fe010_NeikiAnalytics.exe	86

C:\Users\Admin\AppData\Local\Temp\77e4ada3a403c619f1653699d75fe010_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\77e4ada3a403c619f1653699d75fe010_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3988
- C:\SysDrvHS\devdobec.exe
  C:\SysDrvHS\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrvHS\devdobec.exe

Filesize
3.2MB

MD5
fe31a926a02f271cd3eedc0536646b8c

SHA1
808b59d31291c463819855747c1d41802f2ae4bd

SHA256
64d4a436c8f3a085a0919bae0900f6f17699a55b3c936918043f84bc54e9c525

SHA512
f07f39f7da1acd04e7b22fe515564d1007a5873892d12142ea37252b43c487463f118d7270bbeb6c9e028b5e603e0cf586e2a700e7ba3d22f817d3d5bbadf3d6

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
c94a994df8a4881773cbdf57677743ac

SHA1
8d3a18721e1e8a7e4c6e8f28b73d36114bbfe12f

SHA256
c78bf9f498e8ebfd22708011da106fcded6f43769eaa345c72059c106d4ec461

SHA512
8498ff7b597e1318605eab83316c60005dfe786c4d17757b39e9d8137a7bc8ed0156e879719180b6021ec507ff4b209efc8dc683ffb240f8d6aa04563c3f7447

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
5e994098bd4e9dae4e4a927bad7aae33

SHA1
22662975fe63e1de17b492d1351a6c1efd815025

SHA256
dae29f5e85f8540531bff6313a9d55d9f4d9cda857e0f3237818102e0cec7981

SHA512
2b0928ce4c6cf277268299cf52dbd094fd7a46abba12425dacaba8b4fd0e3e223834ddd03d82cfa05f678494a0089c3bac63ee5a2eb6a127ac16543520b9a533

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
3.2MB

MD5
9d166a6fee965ceae29d5782d2929a8a

SHA1
b5cc1fd9a58707c87297782c74f8e4b8eb1ecc96

SHA256
2c8ae98f979bc05a6430fab92f03bca7fa666c0e73c2758fbeb6655f6db00e9b

SHA512
530ef630839228e4b94cdb3d7aed0b65d05a6482a5c193fe2335bb5838e80e6eaaed4e4e8af101d1df5805a49f5ad014033f04090898ecca065c7c1d4c7f462b

Download Submit
C:\VidGZ\dobdevec.exe

Filesize
581KB

MD5
cf4051319ce20fd8a6b9abfa113b652e

SHA1
524545a7a507687f545584e4bdc4797d29599d4f

SHA256
53d3c7dc13a09d21e11de38e3e27b1f4bb0ed875371c1f25020ca1f6ea310960

SHA512
958cc0abed4efae76c3256d4b72d6d175dfcf14576354bc7ce08d6215ae81493adb0852c69e65244580ae843bf4808bb7f7e2f8c33e4ed9c0d85c7347a24bdec

Download Submit
C:\VidGZ\dobdevec.exe

Filesize
467KB

MD5
c6584fde736849d57d75836687f58b22

SHA1
612a6f0f6040666d5e1d93a629c80c4a3495559a

SHA256
04f88c6e3a6a4c114eaee930317533fc9b11cd4ea4431fd6b1bc9e676bac4329

SHA512
0c13a19654056784d0c7a0bb6ab1846ca825c61f06ea10fcfd8bd6a08fcf1b1209003ef0f50ac1e96de0fc7ac06012f958bae3d261c4848286799f6ce8ec6685

Download Submit