41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3_NeikiAnalytics.exe
Size

2.6MB
MD5

def1e869da80f5600d47d63a4f5ac9a0
SHA1

e0a5c4186efb0c4e61630bb068e6e91e7884daf3
SHA256

41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3
SHA512

49671bf7026cd639afdaba65e7d3ae18ca0c83d422bd268b6b29b279ca950bacb81d3574066bb1b28989e75b42788d33dea7e7b0d9838696e699d6442a528336
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bS:sxX7QnxrloE5dpUpMb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
3580	locdevdob.exe
3788	abodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeTV\\abodsys.exe"	41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBT5\\boddevec.exe"	41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
792	41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3_NeikiAnalytics.exe
792	41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3_NeikiAnalytics.exe
792	41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3_NeikiAnalytics.exe
792	41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3_NeikiAnalytics.exe
3580	locdevdob.exe
3580	locdevdob.exe
3788	abodsys.exe
3788	abodsys.exe
3580	locdevdob.exe
3580	locdevdob.exe
3788	abodsys.exe
3788	abodsys.exe
3580	locdevdob.exe
3580	locdevdob.exe
3788	abodsys.exe
3788	abodsys.exe
3580	locdevdob.exe
3580	locdevdob.exe
3788	abodsys.exe
3788	abodsys.exe
3580	locdevdob.exe
3580	locdevdob.exe
3788	abodsys.exe
3788	abodsys.exe
3580	locdevdob.exe
3580	locdevdob.exe
3788	abodsys.exe
3788	abodsys.exe
3580	locdevdob.exe
3580	locdevdob.exe
3788	abodsys.exe
3788	abodsys.exe
3580	locdevdob.exe
3580	locdevdob.exe
3788	abodsys.exe
3788	abodsys.exe
3580	locdevdob.exe
3580	locdevdob.exe
3788	abodsys.exe
3788	abodsys.exe
3580	locdevdob.exe
3580	locdevdob.exe
3788	abodsys.exe
3788	abodsys.exe
3580	locdevdob.exe
3580	locdevdob.exe
3788	abodsys.exe
3788	abodsys.exe
3580	locdevdob.exe
3580	locdevdob.exe
3788	abodsys.exe
3788	abodsys.exe
3580	locdevdob.exe
3580	locdevdob.exe
3788	abodsys.exe
3788	abodsys.exe
3580	locdevdob.exe
3580	locdevdob.exe
3788	abodsys.exe
3788	abodsys.exe
3580	locdevdob.exe
3580	locdevdob.exe
3788	abodsys.exe
3788	abodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 3580	792	41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3_NeikiAnalytics.exe	90
PID 792 wrote to memory of 3580	792	41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3_NeikiAnalytics.exe	90
PID 792 wrote to memory of 3580	792	41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3_NeikiAnalytics.exe	90
PID 792 wrote to memory of 3788	792	41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3_NeikiAnalytics.exe	91
PID 792 wrote to memory of 3788	792	41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3_NeikiAnalytics.exe	91
PID 792 wrote to memory of 3788	792	41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3_NeikiAnalytics.exe	91

C:\Users\Admin\AppData\Local\Temp\41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:792
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3580
- C:\AdobeTV\abodsys.exe
  C:\AdobeTV\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeTV\abodsys.exe

Filesize
1.2MB

MD5
a3036d2be3ba04a8d980034ab3d113b1

SHA1
078557330bb077e3fdbab9c46a5a58ed83cac93b

SHA256
e61d4ad4345b84e72215f9326329703ac1bf931e26e9f995bf6feb76e2f463b4

SHA512
2a9bb85f9cf51b41502c0106483afa4bee42b1a569abbfafb0d6b52f575106224518f33c2212e5d62ad6c1663b66d2d51f7fe558bc1a456221b35e8fe8a02826

Download Submit
C:\AdobeTV\abodsys.exe

Filesize
2.6MB

MD5
0894d3738071610ecbd6b7712df0251b

SHA1
029a06eb9bdfd5b216a305813f109204f0f59031

SHA256
39ff0a0dcbc26fcf4782e26b44d4a02bba2de7716363768933bd29e6cd430af2

SHA512
b76c3528f2583238475eb1520ae5d3848e7a32cc975ebbfde316e42b6a288fc20078928d69e6bfcfb5b82407424307fe2fadee53f80731bc6027b19b07bbd8e4

Download Submit
C:\KaVBT5\boddevec.exe

Filesize
29KB

MD5
2c368577e9554133d02c83bf54a3ba6e

SHA1
49b7a9ae2d4b99497643247e01905888709f9fd5

SHA256
a133dd9ff9d9f10e5866c760cdd82f93cc9b63bbc2f61deeca3dfc19530bb3bc

SHA512
6738917ab34d25b7951ccba929c783d529abd278da5610a245c6c13691fecc1ae024dff9e6702c16321ec7300ee950a2a7fa1088dce430274f937ce643d834a8

Download Submit
C:\KaVBT5\boddevec.exe

Filesize
352KB

MD5
97b9cbf44524d86b4bd66dc9b71895c9

SHA1
7edba85c59b972da39fc9ef7f24230ecb09cbce7

SHA256
696bc7422e97527153cd190deb203957903ff9637106cacd4fdfcba3044e4f38

SHA512
b3d52a2a672af738932b3e996f2dd8c5c226aa1c9a3275533edf3fc460aee8291822f7abba236a5347acdc8fdb9a6372dbac89dc9886c1730205cce646f63f61

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
778c2ef859661021a097ec73bba1b600

SHA1
f77a8dd4853384dc57fd62ecdeb69a7f1bed5d12

SHA256
bbeb67fe4c3c668f5a43528e5c7a9d8e45d05d9ebfef0597c41b4105d3cafc74

SHA512
aa003e5e556abbfe09967f3c81ecca00c5f5c1ff6fe8b200e3d8b882331207615f440f328e87c1c92f614f09e1029e2492fca09d359533b6af62b65dbc6987b2

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
7a2b276cc9162c9e62679845be5e4d60

SHA1
3687fa3355b2f578bac67d7259f2524c37e2a783

SHA256
28d92aabacab8a03910f09d6676fd37ce1c4ac796039176693bf07bcb078d08e

SHA512
3828ffc12d215c0dd4141555883de3193eef2aa46e46890010b321baabba16bbcac377a0573a6af9d205a375f6c2e15bd8ee276fc94f87cdc8fe14f07c75a1db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
2.6MB

MD5
bab36da0adb0fe498bed7a8791b6a35a

SHA1
f7c1232746de87a2616c9c025b81d1512dd73055

SHA256
5afbf8b9b00e959871b84d281b4c19e6188c7b60a01c7e928a1e7f4a81a930b3

SHA512
189d341a53832c7d47f9db761a9a0625308b33b76c0c60ecdab2c5e6f3d4163a7e1422f1bce9f67159a60387e33804c8f0b36c2f07bed9b5c503f5bc1d3ce354

Download Submit