21d391cdd14d379e1c182615619991685d5eea59f81d8fce667889d6f40de3f4

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
14/06/2024, 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe
Size

3.0MB
MD5

95862838317736fc73fb3b544a5986a0
SHA1

d87290e4a51c8ab2fe814521e546aaa9ec959098
SHA256

21d391cdd14d379e1c182615619991685d5eea59f81d8fce667889d6f40de3f4
SHA512

1c1c6afb967378aeea20e1bda1058c74993b2a20a7e4fe27de1c59ff3c94e919d878215b4ff395cf68c9ee54857d472f14cf72e24314b46e7da4a0bd308434cd
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqz8b6LNX:sxX7QnxrloE5dpUpLbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1928	ecdevopti.exe
2596	xbodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2236	95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe
2236	95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc4B\\xbodloc.exe"	95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidMJ\\bodxsys.exe"	95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2236	95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe
2236	95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe
1928	ecdevopti.exe
2596	xbodloc.exe
1928	ecdevopti.exe
2596	xbodloc.exe
1928	ecdevopti.exe
2596	xbodloc.exe
1928	ecdevopti.exe
2596	xbodloc.exe
1928	ecdevopti.exe
2596	xbodloc.exe
1928	ecdevopti.exe
2596	xbodloc.exe
1928	ecdevopti.exe
2596	xbodloc.exe
1928	ecdevopti.exe
2596	xbodloc.exe
1928	ecdevopti.exe
2596	xbodloc.exe
1928	ecdevopti.exe
2596	xbodloc.exe
1928	ecdevopti.exe
2596	xbodloc.exe
1928	ecdevopti.exe
2596	xbodloc.exe
1928	ecdevopti.exe
2596	xbodloc.exe
1928	ecdevopti.exe
2596	xbodloc.exe
1928	ecdevopti.exe
2596	xbodloc.exe
1928	ecdevopti.exe
2596	xbodloc.exe
1928	ecdevopti.exe
2596	xbodloc.exe
1928	ecdevopti.exe
2596	xbodloc.exe
1928	ecdevopti.exe
2596	xbodloc.exe
1928	ecdevopti.exe
2596	xbodloc.exe
1928	ecdevopti.exe
2596	xbodloc.exe
1928	ecdevopti.exe
2596	xbodloc.exe
1928	ecdevopti.exe
2596	xbodloc.exe
1928	ecdevopti.exe
2596	xbodloc.exe
1928	ecdevopti.exe
2596	xbodloc.exe
1928	ecdevopti.exe
2596	xbodloc.exe
1928	ecdevopti.exe
2596	xbodloc.exe
1928	ecdevopti.exe
2596	xbodloc.exe
1928	ecdevopti.exe
2596	xbodloc.exe
1928	ecdevopti.exe
2596	xbodloc.exe
1928	ecdevopti.exe
2596	xbodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 1928	2236	95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe	28
PID 2236 wrote to memory of 1928	2236	95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe	28
PID 2236 wrote to memory of 1928	2236	95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe	28
PID 2236 wrote to memory of 1928	2236	95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe	28
PID 2236 wrote to memory of 2596	2236	95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe	29
PID 2236 wrote to memory of 2596	2236	95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe	29
PID 2236 wrote to memory of 2596	2236	95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe	29
PID 2236 wrote to memory of 2596	2236	95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1928
- C:\Intelproc4B\xbodloc.exe
  C:\Intelproc4B\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc4B\xbodloc.exe

Filesize
3.0MB

MD5
c856d28f13b51691d4224f29d1f2cb1f

SHA1
13b1b1c8211caf9778bfee4d05aede719e0f1f9b

SHA256
b59d3235480ec18d9b3f6047c64ecdd7c36f92d9e524e8ac9ddb4e3decbd9a3f

SHA512
1b30c0b919802c06a354385b8b30e0e4ec07939394f9add29db0807ecd6db4486d65ca02be56daa46cae90fa43da4bdf674f3996359cd8efbdee09fe5ea9041c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
e7e914efa6375bc10dc3eca9dafc668e

SHA1
1a85a4f95eb5ba3bb7a7e77359777a2f77bac9df

SHA256
57ebbe6985cf5403ecff6f972c06f7718d2195482a450442c0f8b014c8afeda1

SHA512
a3d9156c6cbf4b6f7eec7634116b8c0ce4c5428f3360b312eac4d1bdfb0709d99145d118768668dadb6c28503579d049de74f9f134706dc3530a732e3bc9aece

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
6f2381a4a9426535451fab0e845fdce3

SHA1
a319f268b9ee9cef70697f2d612c5a0eb36baa8a

SHA256
ad45edef59052b337628d20f123b39f852a12368ab2ce9af5e17dbe3b073faf0

SHA512
e4eb205a2b76b14f96204e61c82d94040495f9e6848ac00e35d54f6274c7250cbb8ac6896213ea6fef7f64c5a82fb11b511f01aa162e35f06912c104c0b90132

Download Submit
C:\VidMJ\bodxsys.exe

Filesize
3.0MB

MD5
f0504fb3fcc227dca5e223a259fb2a29

SHA1
98009211334fa4253ebf3fc7ff743bb5f1dcb5c7

SHA256
9369bc23b92d775ab9a6c6bbf9bababf093a4c29baa27bf08c457bd0111d42f9

SHA512
5f6aee5746e79edec1e48f00f5e14001aed93b75675b048a450c285dd97f4980132a78ccb232fc4ce242a44bdfcd5b71e8cdaa171c2e9476c4d06d492efaef17

Download Submit
C:\VidMJ\bodxsys.exe

Filesize
3.0MB

MD5
6c5535c53dadbb9e1d2737c4a798394a

SHA1
5e89c98580ccdb670e30701a32241032cd6038e2

SHA256
4807f7c75d37e9bf9a707163ede03b5a2aa95afd3fcd322a7a941f26bdbfda0e

SHA512
0b637e6a6c7fc4437ca0aecdc1b699ba69bff45d707af4e81968457817d86c685dc9be71af149b94410eb87d33351fb3a34eaaedb8020fd604fbf1348c19a52c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
3.0MB

MD5
b408b27316821b719ae9be15273dd103

SHA1
fd0621e9a7c04f6c1bb7fb47187f6edff44acc51

SHA256
5113e40327acdcba215ff98df175e7e197b49f06c78ea40ef8645f052deefb24

SHA512
539b57af2ab655edd07f56398612edc78c1c22c50df4eb6677f7cad9bfc46e52afee02a06fb9d6b9931f910165e7c589a04a0098c0c7ee1219b7c57fa9fa6dfe

Download Submit