8a0a5265f47d57010371db0170ccee60ff62cadc1663229beb9ee6fd87dd159d

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a0a5265f47d57010371db0170ccee60ff62cadc1663229beb9ee6fd87dd159d_NeikiAnalytics.exe
Size

4.0MB
MD5

bd9aed2ffadee00250dad4fcaa3d47c0
SHA1

bfe592bd0f98abd77a704b4dfb6f121c4fed3268
SHA256

8a0a5265f47d57010371db0170ccee60ff62cadc1663229beb9ee6fd87dd159d
SHA512

6d9eeb35b4fdd162b66d56a9b3625de5138b22811ce7eadc42cdd1715b038b0332b73db8626e20ac6a0998ebe120b9fe099f6d3993846ff0ed02e16377f20453
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpubVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	8a0a5265f47d57010371db0170ccee60ff62cadc1663229beb9ee6fd87dd159d_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
3032	sysdevopti.exe
2888	xbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
1320	8a0a5265f47d57010371db0170ccee60ff62cadc1663229beb9ee6fd87dd159d_NeikiAnalytics.exe
1320	8a0a5265f47d57010371db0170ccee60ff62cadc1663229beb9ee6fd87dd159d_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeDC\\xbodsys.exe"	8a0a5265f47d57010371db0170ccee60ff62cadc1663229beb9ee6fd87dd159d_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB84\\boddevloc.exe"	8a0a5265f47d57010371db0170ccee60ff62cadc1663229beb9ee6fd87dd159d_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1320	8a0a5265f47d57010371db0170ccee60ff62cadc1663229beb9ee6fd87dd159d_NeikiAnalytics.exe
1320	8a0a5265f47d57010371db0170ccee60ff62cadc1663229beb9ee6fd87dd159d_NeikiAnalytics.exe
3032	sysdevopti.exe
2888	xbodsys.exe
3032	sysdevopti.exe
2888	xbodsys.exe
3032	sysdevopti.exe
2888	xbodsys.exe
3032	sysdevopti.exe
2888	xbodsys.exe
3032	sysdevopti.exe
2888	xbodsys.exe
3032	sysdevopti.exe
2888	xbodsys.exe
3032	sysdevopti.exe
2888	xbodsys.exe
3032	sysdevopti.exe
2888	xbodsys.exe
3032	sysdevopti.exe
2888	xbodsys.exe
3032	sysdevopti.exe
2888	xbodsys.exe
3032	sysdevopti.exe
2888	xbodsys.exe
3032	sysdevopti.exe
2888	xbodsys.exe
3032	sysdevopti.exe
2888	xbodsys.exe
3032	sysdevopti.exe
2888	xbodsys.exe
3032	sysdevopti.exe
2888	xbodsys.exe
3032	sysdevopti.exe
2888	xbodsys.exe
3032	sysdevopti.exe
2888	xbodsys.exe
3032	sysdevopti.exe
2888	xbodsys.exe
3032	sysdevopti.exe
2888	xbodsys.exe
3032	sysdevopti.exe
2888	xbodsys.exe
3032	sysdevopti.exe
2888	xbodsys.exe
3032	sysdevopti.exe
2888	xbodsys.exe
3032	sysdevopti.exe
2888	xbodsys.exe
3032	sysdevopti.exe
2888	xbodsys.exe
3032	sysdevopti.exe
2888	xbodsys.exe
3032	sysdevopti.exe
2888	xbodsys.exe
3032	sysdevopti.exe
2888	xbodsys.exe
3032	sysdevopti.exe
2888	xbodsys.exe
3032	sysdevopti.exe
2888	xbodsys.exe
3032	sysdevopti.exe
2888	xbodsys.exe
3032	sysdevopti.exe
2888	xbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 3032	1320	8a0a5265f47d57010371db0170ccee60ff62cadc1663229beb9ee6fd87dd159d_NeikiAnalytics.exe	28
PID 1320 wrote to memory of 3032	1320	8a0a5265f47d57010371db0170ccee60ff62cadc1663229beb9ee6fd87dd159d_NeikiAnalytics.exe	28
PID 1320 wrote to memory of 3032	1320	8a0a5265f47d57010371db0170ccee60ff62cadc1663229beb9ee6fd87dd159d_NeikiAnalytics.exe	28
PID 1320 wrote to memory of 3032	1320	8a0a5265f47d57010371db0170ccee60ff62cadc1663229beb9ee6fd87dd159d_NeikiAnalytics.exe	28
PID 1320 wrote to memory of 2888	1320	8a0a5265f47d57010371db0170ccee60ff62cadc1663229beb9ee6fd87dd159d_NeikiAnalytics.exe	29
PID 1320 wrote to memory of 2888	1320	8a0a5265f47d57010371db0170ccee60ff62cadc1663229beb9ee6fd87dd159d_NeikiAnalytics.exe	29
PID 1320 wrote to memory of 2888	1320	8a0a5265f47d57010371db0170ccee60ff62cadc1663229beb9ee6fd87dd159d_NeikiAnalytics.exe	29
PID 1320 wrote to memory of 2888	1320	8a0a5265f47d57010371db0170ccee60ff62cadc1663229beb9ee6fd87dd159d_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\8a0a5265f47d57010371db0170ccee60ff62cadc1663229beb9ee6fd87dd159d_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8a0a5265f47d57010371db0170ccee60ff62cadc1663229beb9ee6fd87dd159d_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3032
- C:\AdobeDC\xbodsys.exe
  C:\AdobeDC\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeDC\xbodsys.exe

Filesize
4.0MB

MD5
28059f7ecd29542ab2a623fb6a86fd16

SHA1
fce9ec41d27d8c28a64bafd08fda6351b6bb7a66

SHA256
18f60cf76749a42bb48f05deca53097837d6442db813cf1fee69fb3981d72d43

SHA512
78efcc3f561c0de5b2460ba76a0256172470100a2d4e7020b4607029a6c9bbafe481b5c2751d8e8e7ce9bcb485ce9179900fa6346e7c8352d58f6123dc10b530

Download Submit
C:\KaVB84\boddevloc.exe

Filesize
3.6MB

MD5
ef7c782ecfedffc154521a038272719b

SHA1
5ec390cd53c20e26a61816584fcf18758d37149d

SHA256
5e924b0f7d95fa6d75bfd3040e4531abb18a5df57d53df0ab34d9a956dbc9610

SHA512
f9020408a6959682e325af24289785ce6c3bf4bdbea7ecb345e3861be06f9e7016988e638f0fe1ac11c100d9c26e2ba62e53c3636a8d6b7ec0737ba58df86af3

Download Submit
C:\KaVB84\boddevloc.exe

Filesize
4.0MB

MD5
afd996ca9fda79dbd5ef982281de5c29

SHA1
e96b8dbb5a274d701e2a26bb65abb7834a6c7afe

SHA256
6f63ab56bb63b9a850dfc13cde45c73ba57428d62d9ad43422c5e6186566871f

SHA512
26d3dd9426ed5a805931a618e95c9b1910419126bbf4dc469a12c8f937e113f577fd15a08955fe04475b774f66034c0f595201d9539435ea81a79f7ec868a93f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
6e14c5ee5d4b63110b5451b4a8e0a509

SHA1
72958dee73b0c68a7a2927f294a1a7dded9ea914

SHA256
b9f52fc577e72086fab6c0799110f5aef15991b10532bdda517e155969620b04

SHA512
267d068b9a6aca802b5f20fe7051158d29939ca87d6e0c332aeff0973ec2da490fa74f506dc324dc72eda3448fe33cd19ffc630b9efbfb5f4d088bab521142ba

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
5b502ac3d8e2e54a8590f44a76a61cc3

SHA1
d26785635fddd9d32b6d87f26813ca7fa59d8255

SHA256
29ddeb3947a41d30f99c1860820b95ee618c31ff536b56927176372c59f2e38f

SHA512
a2dfdf158830c51aab03da6042385026329a359130f6977b3897eee69e8d2e8bede7ed125e15ba1949f9223bf5ae7dedf071ca36f8f2ba15275ad71708e5404e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
4.0MB

MD5
ec70263a2a982be7a5904f242249035d

SHA1
2c3caf6fd6ab4757a7bae50059e54321b5e33f40

SHA256
f3d2b15f8dcd41e640e0b5bda1f50e9907ae8c3d74fb814871022199eed65594

SHA512
e500b8dba762dd53ffb6b65d32f6ceb39357e88522622052e02e1848409640f669c41a65f4c67fb74c410b90db67f7807c62e0b072aa18667684e1eef19a16f4

Download Submit