aa7cfe90baa977104ea18529c06f6a1d381fefbc3534c4ea918f5c28c965c0fc

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c6e298c9f85823cd0c31f63dc4c4630_NeikiAnalytics.exe
Size

3.9MB
MD5

9c6e298c9f85823cd0c31f63dc4c4630
SHA1

2e068ee65eac9d2847f33079d3250302413c4aac
SHA256

aa7cfe90baa977104ea18529c06f6a1d381fefbc3534c4ea918f5c28c965c0fc
SHA512

f6fdf21c8edd19ce5b21cae578f85b6c262aed952b09ee0b2ea464a300a604c49f7c7dda35cd6db5096dd8062f7b161bf1f5731da47887b9440308b800643cbd
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB9B/bSqz8:sxX7QnxrloE5dpUpibVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	9c6e298c9f85823cd0c31f63dc4c4630_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2448	sysdevdob.exe
2108	devdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2052	9c6e298c9f85823cd0c31f63dc4c4630_NeikiAnalytics.exe
2052	9c6e298c9f85823cd0c31f63dc4c4630_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeAW\\devdobec.exe"	9c6e298c9f85823cd0c31f63dc4c4630_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZUL\\optidevsys.exe"	9c6e298c9f85823cd0c31f63dc4c4630_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2052	9c6e298c9f85823cd0c31f63dc4c4630_NeikiAnalytics.exe
2052	9c6e298c9f85823cd0c31f63dc4c4630_NeikiAnalytics.exe
2448	sysdevdob.exe
2108	devdobec.exe
2448	sysdevdob.exe
2108	devdobec.exe
2448	sysdevdob.exe
2108	devdobec.exe
2448	sysdevdob.exe
2108	devdobec.exe
2448	sysdevdob.exe
2108	devdobec.exe
2448	sysdevdob.exe
2108	devdobec.exe
2448	sysdevdob.exe
2108	devdobec.exe
2448	sysdevdob.exe
2108	devdobec.exe
2448	sysdevdob.exe
2108	devdobec.exe
2448	sysdevdob.exe
2108	devdobec.exe
2448	sysdevdob.exe
2108	devdobec.exe
2448	sysdevdob.exe
2108	devdobec.exe
2448	sysdevdob.exe
2108	devdobec.exe
2448	sysdevdob.exe
2108	devdobec.exe
2448	sysdevdob.exe
2108	devdobec.exe
2448	sysdevdob.exe
2108	devdobec.exe
2448	sysdevdob.exe
2108	devdobec.exe
2448	sysdevdob.exe
2108	devdobec.exe
2448	sysdevdob.exe
2108	devdobec.exe
2448	sysdevdob.exe
2108	devdobec.exe
2448	sysdevdob.exe
2108	devdobec.exe
2448	sysdevdob.exe
2108	devdobec.exe
2448	sysdevdob.exe
2108	devdobec.exe
2448	sysdevdob.exe
2108	devdobec.exe
2448	sysdevdob.exe
2108	devdobec.exe
2448	sysdevdob.exe
2108	devdobec.exe
2448	sysdevdob.exe
2108	devdobec.exe
2448	sysdevdob.exe
2108	devdobec.exe
2448	sysdevdob.exe
2108	devdobec.exe
2448	sysdevdob.exe
2108	devdobec.exe
2448	sysdevdob.exe
2108	devdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 2448	2052	9c6e298c9f85823cd0c31f63dc4c4630_NeikiAnalytics.exe	28
PID 2052 wrote to memory of 2448	2052	9c6e298c9f85823cd0c31f63dc4c4630_NeikiAnalytics.exe	28
PID 2052 wrote to memory of 2448	2052	9c6e298c9f85823cd0c31f63dc4c4630_NeikiAnalytics.exe	28
PID 2052 wrote to memory of 2448	2052	9c6e298c9f85823cd0c31f63dc4c4630_NeikiAnalytics.exe	28
PID 2052 wrote to memory of 2108	2052	9c6e298c9f85823cd0c31f63dc4c4630_NeikiAnalytics.exe	29
PID 2052 wrote to memory of 2108	2052	9c6e298c9f85823cd0c31f63dc4c4630_NeikiAnalytics.exe	29
PID 2052 wrote to memory of 2108	2052	9c6e298c9f85823cd0c31f63dc4c4630_NeikiAnalytics.exe	29
PID 2052 wrote to memory of 2108	2052	9c6e298c9f85823cd0c31f63dc4c4630_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\9c6e298c9f85823cd0c31f63dc4c4630_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9c6e298c9f85823cd0c31f63dc4c4630_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2448
- C:\AdobeAW\devdobec.exe
  C:\AdobeAW\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeAW\devdobec.exe

Filesize
3.9MB

MD5
9f0aadb07d16db157ade30d1b45cd787

SHA1
2a9fdff36a10fa751b903c6459360fa7806ea168

SHA256
c255e4d931f34cf0f79e7aac19673adc02ac97d9ee3efcb9fbf692d3ba107a93

SHA512
ecf86c473d3f2060a2a7a8d16b45c672567e2f702409f89016e706c58fd920924ae516090e25fb03f3ff74c130a1c7f1113d5e991af6b37ccc959b2f2dbb6ad8

Download Submit
C:\LabZUL\optidevsys.exe

Filesize
646KB

MD5
295dc8dbaef152365e2a73dd981c9d81

SHA1
98859140869b8a80c653c23ce08c1e343f5b9cd8

SHA256
c98f9b80542e97ddd4488d2a18bbfa80d94958d19bd6f9cb0eb6640f8ad79296

SHA512
97f274c0aefd268447d3d732bee4837b2dea45018b3d1682cd9ef6508e510931057acdadddec27298448d0a2e3d44bc1e28d485a5c90314a39d4bddf81265717

Download Submit
C:\LabZUL\optidevsys.exe

Filesize
3.9MB

MD5
6ad352d2b7ad04888c408af05ecea166

SHA1
706f101df2f703466c8cd4c91190226bfc930bd7

SHA256
45a195df6ce56f666f3fa42b85c02cd227534dd58021271ccc58e20aaefb440f

SHA512
f616bd626f5d4fd421775e91ba7269dc3176223c9cd5601d6b52ecc343ee3ed363d12382a310a8539df88c1a57cf4f8d0c521f0a59a69b1655e74a1e6ef34536

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
822dfdb664b7644d0365f1f66896ca71

SHA1
78d330e9231b530d55e2bb04410a7d50be05011a

SHA256
af821eac6cea4584e54907441ef80749a665aebceadf6a730cebb68fe45d6f09

SHA512
faca0b4bc07d8d8d11c1ac1c8c0fd294019770a0d1c189f0b141090fed5a0c0a1849d488caebd579ab498aded22921d00ae7e7ffc26362a42cd1fcc7fee74918

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
7d4bd4c8d7823dba3c7142edb61466b6

SHA1
cf18191beb4279a4e1461bb1b9ee0f020e28a4ea

SHA256
27830926ef19049310d14bb39760431917049e8ff8ea08520acaa8e563a3186d

SHA512
a5444430980201ffdbc4932075e03f7c09b5b14aff87663737312c4fb649923b83ece19d3f2c5a1657b7a72683907e6c1a392593f291fccefd043a6b33d8a5f5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
3.9MB

MD5
b26021ac9b032f1e4ae1b76c3351355c

SHA1
4506a321881511d3466594b32e176263ab07bd80

SHA256
41eba776843312571c36cc31583b948746a4e8e15912135e27a677ffb006a8fc

SHA512
76132d8fa4563423c927d6020031e61f6a5d3dec71a3703e6047a9ab8493414faef0858189b72c6cf5642665df73b5b1c31d8427cb3933de2f64399042615544

Download Submit