4f31e4dd47aa35b6891a0729a43b5f9d9024aedeff2b446945b4993ab6f8587d

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 07:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f31e4dd47aa35b6891a0729a43b5f9d9024aedeff2b446945b4993ab6f8587d_NeikiAnalytics.exe
Size

2.6MB
MD5

0ec57464039e84b7596ac09968ba3a00
SHA1

3f4c6601e6c74e7ae1eff072385550a549f7bec9
SHA256

4f31e4dd47aa35b6891a0729a43b5f9d9024aedeff2b446945b4993ab6f8587d
SHA512

156a17fb6e20f51ad7c2623879cb5c2b1c0fcb1ad6ce265f214c0378abc2dbac12423ff9a4cde8528a968b55b1b9164d1285ee1e68d4f98ba7c91e49dca1931f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bS:sxX7QnxrloE5dpUprb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	4f31e4dd47aa35b6891a0729a43b5f9d9024aedeff2b446945b4993ab6f8587d_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
3052	sysdevdob.exe
2980	xbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
3068	4f31e4dd47aa35b6891a0729a43b5f9d9024aedeff2b446945b4993ab6f8587d_NeikiAnalytics.exe
3068	4f31e4dd47aa35b6891a0729a43b5f9d9024aedeff2b446945b4993ab6f8587d_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe9Z\\xbodsys.exe"	4f31e4dd47aa35b6891a0729a43b5f9d9024aedeff2b446945b4993ab6f8587d_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBTG\\dobdevloc.exe"	4f31e4dd47aa35b6891a0729a43b5f9d9024aedeff2b446945b4993ab6f8587d_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3068	4f31e4dd47aa35b6891a0729a43b5f9d9024aedeff2b446945b4993ab6f8587d_NeikiAnalytics.exe
3068	4f31e4dd47aa35b6891a0729a43b5f9d9024aedeff2b446945b4993ab6f8587d_NeikiAnalytics.exe
3052	sysdevdob.exe
2980	xbodsys.exe
3052	sysdevdob.exe
2980	xbodsys.exe
3052	sysdevdob.exe
2980	xbodsys.exe
3052	sysdevdob.exe
2980	xbodsys.exe
3052	sysdevdob.exe
2980	xbodsys.exe
3052	sysdevdob.exe
2980	xbodsys.exe
3052	sysdevdob.exe
2980	xbodsys.exe
3052	sysdevdob.exe
2980	xbodsys.exe
3052	sysdevdob.exe
2980	xbodsys.exe
3052	sysdevdob.exe
2980	xbodsys.exe
3052	sysdevdob.exe
2980	xbodsys.exe
3052	sysdevdob.exe
2980	xbodsys.exe
3052	sysdevdob.exe
2980	xbodsys.exe
3052	sysdevdob.exe
2980	xbodsys.exe
3052	sysdevdob.exe
2980	xbodsys.exe
3052	sysdevdob.exe
2980	xbodsys.exe
3052	sysdevdob.exe
2980	xbodsys.exe
3052	sysdevdob.exe
2980	xbodsys.exe
3052	sysdevdob.exe
2980	xbodsys.exe
3052	sysdevdob.exe
2980	xbodsys.exe
3052	sysdevdob.exe
2980	xbodsys.exe
3052	sysdevdob.exe
2980	xbodsys.exe
3052	sysdevdob.exe
2980	xbodsys.exe
3052	sysdevdob.exe
2980	xbodsys.exe
3052	sysdevdob.exe
2980	xbodsys.exe
3052	sysdevdob.exe
2980	xbodsys.exe
3052	sysdevdob.exe
2980	xbodsys.exe
3052	sysdevdob.exe
2980	xbodsys.exe
3052	sysdevdob.exe
2980	xbodsys.exe
3052	sysdevdob.exe
2980	xbodsys.exe
3052	sysdevdob.exe
2980	xbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 3052	3068	4f31e4dd47aa35b6891a0729a43b5f9d9024aedeff2b446945b4993ab6f8587d_NeikiAnalytics.exe	28
PID 3068 wrote to memory of 3052	3068	4f31e4dd47aa35b6891a0729a43b5f9d9024aedeff2b446945b4993ab6f8587d_NeikiAnalytics.exe	28
PID 3068 wrote to memory of 3052	3068	4f31e4dd47aa35b6891a0729a43b5f9d9024aedeff2b446945b4993ab6f8587d_NeikiAnalytics.exe	28
PID 3068 wrote to memory of 3052	3068	4f31e4dd47aa35b6891a0729a43b5f9d9024aedeff2b446945b4993ab6f8587d_NeikiAnalytics.exe	28
PID 3068 wrote to memory of 2980	3068	4f31e4dd47aa35b6891a0729a43b5f9d9024aedeff2b446945b4993ab6f8587d_NeikiAnalytics.exe	29
PID 3068 wrote to memory of 2980	3068	4f31e4dd47aa35b6891a0729a43b5f9d9024aedeff2b446945b4993ab6f8587d_NeikiAnalytics.exe	29
PID 3068 wrote to memory of 2980	3068	4f31e4dd47aa35b6891a0729a43b5f9d9024aedeff2b446945b4993ab6f8587d_NeikiAnalytics.exe	29
PID 3068 wrote to memory of 2980	3068	4f31e4dd47aa35b6891a0729a43b5f9d9024aedeff2b446945b4993ab6f8587d_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\4f31e4dd47aa35b6891a0729a43b5f9d9024aedeff2b446945b4993ab6f8587d_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4f31e4dd47aa35b6891a0729a43b5f9d9024aedeff2b446945b4993ab6f8587d_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3052
- C:\Adobe9Z\xbodsys.exe
  C:\Adobe9Z\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe9Z\xbodsys.exe

Filesize
786KB

MD5
8bbcf516ae3f8c0505879891c7a06090

SHA1
bc6356df5b1f2ec5a29de4de9b370cb9a0a9eee7

SHA256
edcf6bbf4468e5f3f1eb74cfa6fbd43623873c58dc15d206a5741c357d19266f

SHA512
9c54e9453d3bc33e367e0dca63a10786e68c9b09789e3fddd2a4480d74a135607bc3402795ad82e89a0598766d738328f9f859eade54cf24245a27d5e8f7c39b

Download Submit
C:\KaVBTG\dobdevloc.exe

Filesize
2.6MB

MD5
57b18e77a28998390dfb1884700f3e9c

SHA1
38d432b949936de81c6ce05e46dc420280a68401

SHA256
56d902431e94fe5bd2dfb24d12f530e78c127ddd88bd1a5f78eccec9a61fad4f

SHA512
e30e6019d7aa2530f92041ac22e907d3d79da41f788100b4e98a8893f3c2ab85822438d87fa8b99c6ce3337687693bb2ec47fdaaa7f3ce4ca9d849e9f789b3c4

Download Submit
C:\KaVBTG\dobdevloc.exe

Filesize
2.6MB

MD5
42877dd7791a0da6526763d91b4a7c0d

SHA1
1ac772bcccd2079f740fdd3ee8be6cc3a6c1c34b

SHA256
f07f3cc07a0126c6224db79639f6487a1ff947d73de97a99fcfca12805c02e3a

SHA512
4bd6b1b0c26063b8eaa4919c0b7c308830014d4279ce7993f709e4025bf43092f59171fe306f40560f5e4e169d55dccdf4b3919411bed670f940cc1a84e8a4f5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
dab336aac847262e950dfd742904c7c8

SHA1
c9d84e4a7d1f34ebe5ce053504302b2fa9be4311

SHA256
ad1354930660f68838fc5b6c41105da01f932f3d31571b87f6a924ac9f3d9d84

SHA512
14b98b91f9ccfc4c3eed30ea929844f08097b5b900bf49fc93ed65575f6cc020884f6d7e2be04de7b36f1e5c79ecc83a3340680e0c06859b5ef2229e3d5631de

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
116ed65fdd9e5ba03a048f3a6a8b6024

SHA1
a2eb7ac1149e2a33f347ac6d390a5c62c25c2ebb

SHA256
82104b9bff26971b1180b24e21fb54a309f6f7db4541f2eb58920add78df13f8

SHA512
e86d1fb7a983a3b9294e6860bc160351cb8ed7404525dc5799acd8cbad8abf4a64f150b43259a58ddf226151c5669a046816b2558bcf1410e2bc333fc80e3976

Download Submit
\Adobe9Z\xbodsys.exe

Filesize
2.6MB

MD5
0c30ec08bc6f9e2463d1174059fe31a1

SHA1
d5885de33318e3e600aab367dfdd9e1b5f006bfe

SHA256
4965a6ca0c022ca387000de685f0e8ae9e07ddbb2158b6acf889a98595072f20

SHA512
735ffff6b871ca0cb35940baa123954b5fd97f15a2c5aa2f6dc2172983665862c6ef4917aff281942b598d95c978c9fcb12d244ccd8042f043e9451eb33b2a58

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
2.6MB

MD5
58fa75aa006ebc583ac05c2c9e05a128

SHA1
5d986b385e29fcd7b505b60719b70dffe1080eec

SHA256
bd769064378f922d418f8c67b2bf7221514ca474ab7bb789f1b58e09845c5cd2

SHA512
f1a51c0e847252cd90163e3f8508c8c34425072d6fdb3429d2f0f4830585d7c0a6b2f7b29b4afafad04811979b544c3475782fa57b4f1f6469cd00dba7ec43f7

Download Submit