8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df

Analysis

max time kernel
150s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df_NeikiAnalytics.exe
Size

3.0MB
MD5

80d342bb3525d39db873b7775eb563b0
SHA1

28b8867d01c8e2c5f8ed2bc58a4a12d9c63f9de4
SHA256

8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df
SHA512

24051e407fdff0f62959476f9fdb71422901e949d8a9a0ad37453bf38c06db575af113b651be460cfe49fa1933ab16eccdf8830b811115b217523f2479396f68
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB4B/bSqz8:sxX7QnxrloE5dpUp3bVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1716	sysadob.exe
2740	abodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files8B\\abodloc.exe"	8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB1Y\\bodxloc.exe"	8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4956	8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df_NeikiAnalytics.exe
4956	8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df_NeikiAnalytics.exe
4956	8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df_NeikiAnalytics.exe
4956	8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df_NeikiAnalytics.exe
1716	sysadob.exe
1716	sysadob.exe
2740	abodloc.exe
2740	abodloc.exe
1716	sysadob.exe
1716	sysadob.exe
2740	abodloc.exe
2740	abodloc.exe
1716	sysadob.exe
1716	sysadob.exe
2740	abodloc.exe
2740	abodloc.exe
1716	sysadob.exe
1716	sysadob.exe
2740	abodloc.exe
2740	abodloc.exe
1716	sysadob.exe
1716	sysadob.exe
2740	abodloc.exe
2740	abodloc.exe
1716	sysadob.exe
1716	sysadob.exe
2740	abodloc.exe
2740	abodloc.exe
1716	sysadob.exe
1716	sysadob.exe
2740	abodloc.exe
2740	abodloc.exe
1716	sysadob.exe
1716	sysadob.exe
2740	abodloc.exe
2740	abodloc.exe
1716	sysadob.exe
1716	sysadob.exe
2740	abodloc.exe
2740	abodloc.exe
1716	sysadob.exe
1716	sysadob.exe
2740	abodloc.exe
2740	abodloc.exe
1716	sysadob.exe
1716	sysadob.exe
2740	abodloc.exe
2740	abodloc.exe
1716	sysadob.exe
1716	sysadob.exe
2740	abodloc.exe
2740	abodloc.exe
1716	sysadob.exe
1716	sysadob.exe
2740	abodloc.exe
2740	abodloc.exe
1716	sysadob.exe
1716	sysadob.exe
2740	abodloc.exe
2740	abodloc.exe
1716	sysadob.exe
1716	sysadob.exe
2740	abodloc.exe
2740	abodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 1716	4956	8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df_NeikiAnalytics.exe	81
PID 4956 wrote to memory of 1716	4956	8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df_NeikiAnalytics.exe	81
PID 4956 wrote to memory of 1716	4956	8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df_NeikiAnalytics.exe	81
PID 4956 wrote to memory of 2740	4956	8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df_NeikiAnalytics.exe	82
PID 4956 wrote to memory of 2740	4956	8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df_NeikiAnalytics.exe	82
PID 4956 wrote to memory of 2740	4956	8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df_NeikiAnalytics.exe	82

C:\Users\Admin\AppData\Local\Temp\8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1716
- C:\Files8B\abodloc.exe
  C:\Files8B\abodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files8B\abodloc.exe

Filesize
1.3MB

MD5
56a702c6155e26c3b6b92bf3dd84395a

SHA1
2535cb0ae3a95c1ab22fcd9bda192199ec4c5fb7

SHA256
77bba623653022de69a11a62d810a7ec55a76f755247027273a1082c000dbd5d

SHA512
3d4fe65bf9336a8c279b0c185161e6200ebaef994aad2c362a1db800dd645a36189e6f96f2475853e55f36d07f2a58e2fa7023b67a6a3dea7694750656b855da

Download Submit
C:\Files8B\abodloc.exe

Filesize
3.0MB

MD5
2768078c9d73643cd7abe0507520be43

SHA1
7e56a8f0bbaed593917a7cd518f473f6e61f9833

SHA256
b2a018b4e4820ed7055e1b392f14b49fd727f9aa60357a6c4f320377d98550ee

SHA512
131b09519777f5784f300641b1245bdfb38968372729e373eabda3204ba226670d2f9c8d14a5d657d43abcb99f2211603b80559d8d6f6f6794d1808b478c0a5b

Download Submit
C:\KaVB1Y\bodxloc.exe

Filesize
120KB

MD5
0be4987c1971386af2319be80fe6fe9d

SHA1
3c303aa44a2c6bfff885bacdad4af551271621cd

SHA256
eb3abc21a14c614e73f6628e249aaa68f1b3cdd383ff6877be255768c8468318

SHA512
9e8fcf1d45904179707774a5e79014205b62639a27c0b90693590b24ffbebb7186f3e486efa15c742df0134ebfcee2e07929607791ed52ee60cd6ce70fda7fff

Download Submit
C:\KaVB1Y\bodxloc.exe

Filesize
673KB

MD5
03f0c6a6fe78e5bc7540c9c0acdfe667

SHA1
73e6cb9b5478d0fb1f8a6b0326b7f0c1ae71de50

SHA256
a303a059788bcf9842c86e9ad1128c90cb808e9363846c03db5b6c959b8de4ec

SHA512
8dc59c53d532d5b88a5a872a2379f9191298fd5a66901c3b1cc555db3ab9421abe7b14c91fde491c8c63ec66be72306ab5d6c0bb4813e974712dba8449ad7410

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
fed339b12eca8687f09b3da469e010cc

SHA1
6ee747aaa0fa2bc2ecd78309aada6085f10344dd

SHA256
879f57438f40066c1fd3e7139f07339bb65172c9d15b631275f59610ee1c227f

SHA512
17e2d2f883c95f7e8fca8d5a9be9520bb5ad12c51dab3d077e546295fe2c2bcf154d58395dbde3bcfe06ecc4797a5d7ef5be5b27477d75639407e1b011f30d95

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
caa6cf2f673e263b9672845931cad8df

SHA1
2dc2df134209db3213d272570b37093db549f448

SHA256
121f0f190aae01c4e762a94867bdd9f3595a766181646f875eff820cc4f3f116

SHA512
7d31333a90c9f7795b23aa5834a71dc7bcc677ba53b1664368cd4ccac62cb50da62de10e7f5bb8e23c27db6bddf4543a9bb9d4c9e812b4bb80d1efd7af3b84ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
3.0MB

MD5
e4c33da52ba5bc000d87a581895b831d

SHA1
c3642e631dec4db65737486a595a772f11e951b6

SHA256
8a5f94723ed59b552761dc755921f0c3e0ce86bda207bdef9735c366ed9bf0ed

SHA512
0e2148276281ee3677cceaf856418397f7ed6a7b018a1e28f42125ba0bb0f1cbaf673f663f9b40e73b1428f9448266f7862c3b6ce7b85d94a8eba450f65baafe

Download Submit