54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5_NeikiAnalytics.exe
Size

3.9MB
MD5

a17bb9e0c99ed82d091d0e8b59184820
SHA1

6f75729eab33671786c577a1caf3bcfcdea546cd
SHA256

54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5
SHA512

55bab14d5d4d06d3ac860e442abfe08117946dbed9f2cdb24f6518a2a0e6acbf04e057b6fabb5a06ced8f21fd4608feba00c2cccd2c4f91dd0e3f3583ec12b03
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bSqz8:sxX7QnxrloE5dpUp7bVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2268	locxbod.exe
2908	abodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1364	54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5_NeikiAnalytics.exe
1364	54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvID\\abodloc.exe"	54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidM0\\bodasys.exe"	54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1364	54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5_NeikiAnalytics.exe
1364	54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5_NeikiAnalytics.exe
2268	locxbod.exe
2908	abodloc.exe
2268	locxbod.exe
2908	abodloc.exe
2268	locxbod.exe
2908	abodloc.exe
2268	locxbod.exe
2908	abodloc.exe
2268	locxbod.exe
2908	abodloc.exe
2268	locxbod.exe
2908	abodloc.exe
2268	locxbod.exe
2908	abodloc.exe
2268	locxbod.exe
2908	abodloc.exe
2268	locxbod.exe
2908	abodloc.exe
2268	locxbod.exe
2908	abodloc.exe
2268	locxbod.exe
2908	abodloc.exe
2268	locxbod.exe
2908	abodloc.exe
2268	locxbod.exe
2908	abodloc.exe
2268	locxbod.exe
2908	abodloc.exe
2268	locxbod.exe
2908	abodloc.exe
2268	locxbod.exe
2908	abodloc.exe
2268	locxbod.exe
2908	abodloc.exe
2268	locxbod.exe
2908	abodloc.exe
2268	locxbod.exe
2908	abodloc.exe
2268	locxbod.exe
2908	abodloc.exe
2268	locxbod.exe
2908	abodloc.exe
2268	locxbod.exe
2908	abodloc.exe
2268	locxbod.exe
2908	abodloc.exe
2268	locxbod.exe
2908	abodloc.exe
2268	locxbod.exe
2908	abodloc.exe
2268	locxbod.exe
2908	abodloc.exe
2268	locxbod.exe
2908	abodloc.exe
2268	locxbod.exe
2908	abodloc.exe
2268	locxbod.exe
2908	abodloc.exe
2268	locxbod.exe
2908	abodloc.exe
2268	locxbod.exe
2908	abodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 2268	1364	54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5_NeikiAnalytics.exe	28
PID 1364 wrote to memory of 2268	1364	54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5_NeikiAnalytics.exe	28
PID 1364 wrote to memory of 2268	1364	54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5_NeikiAnalytics.exe	28
PID 1364 wrote to memory of 2268	1364	54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5_NeikiAnalytics.exe	28
PID 1364 wrote to memory of 2908	1364	54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5_NeikiAnalytics.exe	29
PID 1364 wrote to memory of 2908	1364	54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5_NeikiAnalytics.exe	29
PID 1364 wrote to memory of 2908	1364	54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5_NeikiAnalytics.exe	29
PID 1364 wrote to memory of 2908	1364	54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2268
- C:\SysDrvID\abodloc.exe
  C:\SysDrvID\abodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrvID\abodloc.exe

Filesize
679KB

MD5
c8e516410781456a48c936ab806db274

SHA1
8282f6b7534be17c1fc110986b4ae82f6a7da6fb

SHA256
b032ee5b571b480497125f0f60fbbd3be8aa2d7f7ef7faf23fa3c246f8ae0098

SHA512
e29896ceeabba04595826ae7f3028f6d4a2b23dc6538afc92b959cc92d17df986c3960669d5256d67d035dbb710fd0047fa264cff5f03532964eaa1cd2b14ae3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
094d4acfa9184be0dd76f2fb1f78e16e

SHA1
8a374b27a61f41ed23a1cb018cdf1d748525e4de

SHA256
bfe9581ca888c4187884348a0366297947dedbb5798f2288d50e8280e590d89b

SHA512
281eb508d7b0c519b9b95654dfc4beecf7ca4c500eaf020e7b672accca92a5227b3ca35f68c0d8cd616027b3042b60dbb48503c2bfa959ead0c15c88cbaccb01

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
2f745c6f6fee8713f4db897d0ff6e4d9

SHA1
37025edbf5dc1734e31f67d69d99ad06f7495240

SHA256
42b57d2ab08be2ec62fa98a23830375b5d9af0bc0da5288568113c33e550e1b7

SHA512
4e08c1a7e6092fab8c59aaaf009e5ec5d5c62c46643c643e623e6ea005215b9ae402ab2ae1c3e22dadb7fef9b28d84312371ce96e87743f5778b69637f7661de

Download Submit
C:\VidM0\bodasys.exe

Filesize
3.9MB

MD5
7c605a935765f9fae820d68d43256e44

SHA1
fbb46a03b403c7e7cf416e0c037e14d2767e20e3

SHA256
564b7adcb2c8bcfc6d4797b4e3a24bafa83b6ead12f4ce831babc9fde466ad7a

SHA512
eaf542c241896b487c5d98c2bbb09d8ef4bf04b917a56f8d2ebacc90c67bc6861d01b212f3046a339c2eb91eb584d7db790c191e5c8612ad029eba240b5d5ec9

Download Submit
C:\VidM0\bodasys.exe

Filesize
3.9MB

MD5
f0786bfa4a769a8d35f6b82827970f31

SHA1
1d1f3ef2007bd4289b0f3e018d43ff0afb9e57a9

SHA256
ff622f0fbe85f7123a1337b94fc1fd67d57b8ef0ab4e1ae35400db0701cb14fe

SHA512
4e370af3367b9205a6e51378c2f09560fa07f604fcfd894b08304ab1b2e600880b408ddd195f7383086c4a9567b7bee865fcc01652cb6814ffd5d413d138188c

Download Submit
\SysDrvID\abodloc.exe

Filesize
3.9MB

MD5
857f1455530508b483cc5c1db20ebafa

SHA1
ed8e3e6517e9c38fe6debf3a3b996214097caca0

SHA256
4a0129a3a5fb543fdd7620f43363660e8c661d5d3e5ad898ae78629ad713c243

SHA512
47ea75914f23d7d90f8e16568c4dbc8b120be1204935a4414d39f416761440be4b9104a9a041e7079b9d54d4b353595e6f7a823a534f4220748bd109fab9379b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
3.9MB

MD5
90ee39b06cf650f45fe613b21facf0ca

SHA1
ea64ca1742f81c2d3f805a555089e1171ca45ebc

SHA256
23758abc0369df40aa705fccdecb4734e851a431216c60c108407635a5398b9e

SHA512
ae720c41b1a7f28b1d354722289b27154d83a70752dc3c3b64f95e913e9b379716d7dcd25d9f3c5f729350af9790792f5d1dab6d0b292efeebd51780ecd9802f

Download Submit