6f365a9e7bc4d712cc0603b2cdea7d20bb7bbef2f49706ef2e4e67340da51fc8

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba163b089c79b875ca4dca32d3d46ac0_NeikiAnalytics.exe
Size

3.0MB
MD5

ba163b089c79b875ca4dca32d3d46ac0
SHA1

ff6d685adb5c727f538a4142ee4d1b4099b10331
SHA256

6f365a9e7bc4d712cc0603b2cdea7d20bb7bbef2f49706ef2e4e67340da51fc8
SHA512

f69e222ff7d400e42fc90d985c9b65c21c606f6761d81653b82503205893e46ad0b0981ecc71b23106f132b4c402717d947220647b0adf77e34c935aa64ab080
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBGB/bSqz8b6LNX:sxX7QnxrloE5dpUppbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	ba163b089c79b875ca4dca32d3d46ac0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4196	ecxdob.exe
3604	xdobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files9J\\xdobsys.exe"	ba163b089c79b875ca4dca32d3d46ac0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintBM\\bodxec.exe"	ba163b089c79b875ca4dca32d3d46ac0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4076	ba163b089c79b875ca4dca32d3d46ac0_NeikiAnalytics.exe
4076	ba163b089c79b875ca4dca32d3d46ac0_NeikiAnalytics.exe
4076	ba163b089c79b875ca4dca32d3d46ac0_NeikiAnalytics.exe
4076	ba163b089c79b875ca4dca32d3d46ac0_NeikiAnalytics.exe
4196	ecxdob.exe
4196	ecxdob.exe
3604	xdobsys.exe
3604	xdobsys.exe
4196	ecxdob.exe
4196	ecxdob.exe
3604	xdobsys.exe
3604	xdobsys.exe
4196	ecxdob.exe
4196	ecxdob.exe
3604	xdobsys.exe
3604	xdobsys.exe
4196	ecxdob.exe
4196	ecxdob.exe
3604	xdobsys.exe
3604	xdobsys.exe
4196	ecxdob.exe
4196	ecxdob.exe
3604	xdobsys.exe
3604	xdobsys.exe
4196	ecxdob.exe
4196	ecxdob.exe
3604	xdobsys.exe
3604	xdobsys.exe
4196	ecxdob.exe
4196	ecxdob.exe
3604	xdobsys.exe
3604	xdobsys.exe
4196	ecxdob.exe
4196	ecxdob.exe
3604	xdobsys.exe
3604	xdobsys.exe
4196	ecxdob.exe
4196	ecxdob.exe
3604	xdobsys.exe
3604	xdobsys.exe
4196	ecxdob.exe
4196	ecxdob.exe
3604	xdobsys.exe
3604	xdobsys.exe
4196	ecxdob.exe
4196	ecxdob.exe
3604	xdobsys.exe
3604	xdobsys.exe
4196	ecxdob.exe
4196	ecxdob.exe
3604	xdobsys.exe
3604	xdobsys.exe
4196	ecxdob.exe
4196	ecxdob.exe
3604	xdobsys.exe
3604	xdobsys.exe
4196	ecxdob.exe
4196	ecxdob.exe
3604	xdobsys.exe
3604	xdobsys.exe
4196	ecxdob.exe
4196	ecxdob.exe
3604	xdobsys.exe
3604	xdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 4196	4076	ba163b089c79b875ca4dca32d3d46ac0_NeikiAnalytics.exe	91
PID 4076 wrote to memory of 4196	4076	ba163b089c79b875ca4dca32d3d46ac0_NeikiAnalytics.exe	91
PID 4076 wrote to memory of 4196	4076	ba163b089c79b875ca4dca32d3d46ac0_NeikiAnalytics.exe	91
PID 4076 wrote to memory of 3604	4076	ba163b089c79b875ca4dca32d3d46ac0_NeikiAnalytics.exe	92
PID 4076 wrote to memory of 3604	4076	ba163b089c79b875ca4dca32d3d46ac0_NeikiAnalytics.exe	92
PID 4076 wrote to memory of 3604	4076	ba163b089c79b875ca4dca32d3d46ac0_NeikiAnalytics.exe	92

C:\Users\Admin\AppData\Local\Temp\ba163b089c79b875ca4dca32d3d46ac0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ba163b089c79b875ca4dca32d3d46ac0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4196
- C:\Files9J\xdobsys.exe
  C:\Files9J\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4292 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files9J\xdobsys.exe

Filesize
3.0MB

MD5
0ad2c93f1fbd1877bbfb7e4b867dc1cb

SHA1
96aa19a4b852485f4e91e086673f213d9512e0e3

SHA256
b7928a84eed99aa9b2c59dbfe6abd0cb447a7ab3f825b1affa0259b487d57762

SHA512
75788ca8f03015c2c8fba75f538a7ce52a42480369a93214a0b2343bf671e07941ed9ed3ade9ae67e6e064259a7fcbfcd6d3d6ff22594a468408fff71d785422

Download Submit
C:\MintBM\bodxec.exe

Filesize
3.0MB

MD5
5f3f1335f82d8814e5625d020e0c624a

SHA1
cc1ebe9f3217d9468455b58b8c68ea12f4c7e1c7

SHA256
1a16bd26eda1a0abdfd3461bf6344c449139efb089b908f999f71e6adb072001

SHA512
76d6c80ee31f85ad2e418a7e9b7577dd22151a266ff2f3bad242df4e76cd9c61de0a6e96968d9aa14fd5f1e8b996a3b593c13e8e609b9322f0cce91615a307bf

Download Submit
C:\MintBM\bodxec.exe

Filesize
12KB

MD5
0f1dd959d43971bf7f79671305e25a3e

SHA1
6d8e0a16be92cc3f8829972a8f7c88ea3b37ed55

SHA256
e2062ac20c5890c0dbf890e43b316cea0da64e2c7e801a4c803faf7642f715ca

SHA512
04077a2a74d996c32ac387c8b5e877f1dbc8c0222ec32d484cee13b8913e5651839cc5c68091c96037c6a765cc4488e9bf08f5316ab9256cdbcb3fa5c7307623

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
198B

MD5
0498c2bfe74391c696fc024dd1bad8ad

SHA1
4bb91084bccce174c6cacc045322926556eece71

SHA256
8b6f57e1b438392a1d6d5fca87ec1b762b6a1bede8d75459478f122e73b46a31

SHA512
ec813d9eb84ea642f1ba74df0c2e8ff23863ffc15aade0e5bceef19d2ec5f9c9ba7fe1de207a9e34a866a728a6cb582a262bf12cb4ad4ad3169e19dd7a0422dd

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
166B

MD5
59992ca493fbdf873f84213160856dd8

SHA1
e72a9cf11ecd7b7549937b765d13adeb37f33208

SHA256
1e454b8af6522a4b7c0163b052559c72369e2c0419898f48fbb658bf5ea530e9

SHA512
e2209558cf3d36aae526eaaccd7b1b4da9bf9a79840095bfd92c4ed83d46801dfe3e71ed10ad3f72fd7b59f0841815cf2ec62de413d06373c08ab6c8209dfd4b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
3.0MB

MD5
2e4ce1fa22bca068a3d07c45e485c265

SHA1
e6937da33d8e93c46cd87199bf58ba44a49116d9

SHA256
aa47beb104ef2f709c1c168418710321bd78015ab00024ea4887b3c9c4a7fe67

SHA512
301de5abc1083a1134d41e7556f442acbcf4bd681665ba542b01b9ac5c023484fc4eb248737a81ade8b08edfbba013d08d62f49ad345cb61f339be84c87c945c

Download Submit