b10a672cc218783d21833077fc9f57c23d5592ac631e0fd1da192f7d42b850ad

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 04:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
Size

2.7MB
MD5

9cd9002951710e46e1bc42442770b590
SHA1

eec5ab77ed7135d665a1054fa2b06cdc7f95fb2c
SHA256

b10a672cc218783d21833077fc9f57c23d5592ac631e0fd1da192f7d42b850ad
SHA512

5f16b573360799e258794dcb351d6514db9a30e2f2e9cb5fe79066da937c5a38a6dd7523c3f04dd968ac854261c5810f9095f4d88ec44242a770eef98170f787
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB/9w4Sx:+R0pI/IQlUoMPdmpSpb4

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe

Executes dropped EXE 2 IoCs

pid	Process
4376	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe
5312	xdobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesEC\\xdobloc.exe"	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBFW\\dobxsys.exe"	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4196	ipconfig.exe
3892	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4656	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
4656	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
4656	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
4656	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
4376	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe
4376	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe
5312	xdobloc.exe
5312	xdobloc.exe
4656	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
4656	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
4376	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe
4376	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe
5312	xdobloc.exe
5312	xdobloc.exe
4656	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
4656	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
4376	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe
4376	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe
5312	xdobloc.exe
5312	xdobloc.exe
4656	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
4656	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
4376	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe
4376	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe
5312	xdobloc.exe
5312	xdobloc.exe
4656	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
4656	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
4376	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe
4376	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe
5312	xdobloc.exe
5312	xdobloc.exe
4656	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
4656	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
4376	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe
4376	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe
5312	xdobloc.exe
5312	xdobloc.exe
4656	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
4656	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
4376	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe
4376	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe
5312	xdobloc.exe
5312	xdobloc.exe
4656	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
4656	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
4376	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe
4376	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe
5312	xdobloc.exe
5312	xdobloc.exe
4656	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
4656	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
4376	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe
4376	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe
5312	xdobloc.exe
5312	xdobloc.exe
4656	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
4656	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
4376	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe
4376	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe
5312	xdobloc.exe
5312	xdobloc.exe
4656	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
4656	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3892	NETSTAT.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 4376	4656	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe	87
PID 4656 wrote to memory of 4376	4656	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe	87
PID 4656 wrote to memory of 4376	4656	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe	87
PID 4656 wrote to memory of 5312	4656	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe	88
PID 4656 wrote to memory of 5312	4656	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe	88
PID 4656 wrote to memory of 5312	4656	9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe	88
PID 4376 wrote to memory of 4752	4376	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe	102
PID 4376 wrote to memory of 4752	4376	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe	102
PID 4376 wrote to memory of 4752	4376	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe	102
PID 4376 wrote to memory of 808	4376	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe	104
PID 4376 wrote to memory of 808	4376	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe	104
PID 4376 wrote to memory of 808	4376	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe	104
PID 4376 wrote to memory of 3304	4376	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe	106
PID 4376 wrote to memory of 3304	4376	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe	106
PID 4376 wrote to memory of 3304	4376	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe	106
PID 4752 wrote to memory of 4196	4752	cmd.exe	108
PID 4752 wrote to memory of 4196	4752	cmd.exe	108
PID 4752 wrote to memory of 4196	4752	cmd.exe	108
PID 808 wrote to memory of 3892	808	cmd.exe	109
PID 808 wrote to memory of 3892	808	cmd.exe	109
PID 808 wrote to memory of 3892	808	cmd.exe	109
PID 4376 wrote to memory of 5040	4376	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe	116
PID 4376 wrote to memory of 5040	4376	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe	116
PID 4376 wrote to memory of 5040	4376	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe	116

C:\Users\Admin\AppData\Local\Temp\9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9cd9002951710e46e1bc42442770b590_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Users\Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe
  C:\Users\Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig > C:\Users\Admin\ipconfig.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig
      4⤵
      Gathers network information
      PID:4196
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c netstat -a > C:\Users\Admin\netstat.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:808
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -a
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:3892
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c dir C:\*.txt /b /s >> C:\Users\Admin\grubb.list
    3⤵
    PID:3304
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c dir C:\*.doc /b /s >> C:\Users\Admin\grubb.list
    3⤵
    PID:5040
- C:\FilesEC\xdobloc.exe
  C:\FilesEC\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesEC\xdobloc.exe

Filesize
12KB

MD5
b4b0554a9407788869d10a71250fff09

SHA1
d629b4110f2895bdded183f17368cb23f9538b6b

SHA256
41a3668d2cfa0cd75472590d37798606e4812b8224466085abd1f2c6583233f9

SHA512
be233a67226a92b35670dc2f522d7b0516b3f5413b482442b7dd4ec79a0710b36eb3c9187742fef481966f105e108678263089cd8dff8d1adc57f4096f0c9f07

Download Submit
C:\FilesEC\xdobloc.exe

Filesize
2.7MB

MD5
c228c07bfd9aa9eb549766d4a77d9a4a

SHA1
21e583ddd355e8204c74d5bc807a28ba172b7eff

SHA256
e0682e75e35cd0deeec87d93b710bb5e58a777ec98153d995402120fb1c1c2f6

SHA512
0d01fa24d70925e619f0f1b6efe2fa8618b74e4e320bca3667f878c965e7a8cca05fb21db55d07ee6ac8c0d1da222044cb403d782116c330d664714835149a68

Download Submit
C:\KaVBFW\dobxsys.exe

Filesize
2.7MB

MD5
515db15abd1204141229419546d29b9a

SHA1
f4c798881a7781f82febc8fb3a9177497f53d990

SHA256
e2415c93c03eaa1f83eb4d1dabf7c5bd3f1d86dce2484b0de3abdd07a381956c

SHA512
ab5bafa6174a94b9eaba991c0f07ed6dd3ef2f415ce12b8dab4bb4a6ef448dc49238def1e9228f489e816596bc6b1da473c15d0c552902612d5ee75c6b4ea7ff

Download Submit
C:\KaVBFW\dobxsys.exe

Filesize
2.7MB

MD5
582fb774751d5c59cb282caf221ae336

SHA1
8fd6c321dbc45714e5ccd0e6a32526ae5e3c1dc9

SHA256
bf6aebda865c5734d223d4ce64d729e6ac67d22d968a78d0092097ff36857125

SHA512
4de07b2b1773c7fc0e7d429dba7a7ee24a4cb45f8ab41861344572a8d33b4c9b3126cd5bf409231e1f1f81a5dcc91b88e4465c06a8ed092950d593bc8c73296c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
6c0e0ee5bd1db33756f5eea96ad3e864

SHA1
4b5b7fa8a6690ea3c39eea992a7834f3c345e8c5

SHA256
b85a29cef0dc8389472279e7b29348ea3d3a33ad359ef1953bff9788aaa11f27

SHA512
ce1d9bf3e4bdb9e3e762ea99ae69a98186d962ee45acee9cbb73b7ba73650a4697d0ba3c5a885340d5f4e52b62c7765df22c4b1345404e88ee118dccb0b8a774

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
0305463a62b4e11c6996dd5f943dd688

SHA1
492b1737caefe1ecc32b068503c9861ced548b92

SHA256
0a152e4c34b0d4c73eb7904674ed9f80c5db02fbb7deec27eada342c6153ded8

SHA512
91c24b436940e3b99470768a041cdc614912ee373aa97fb6d52f53cd5edb9ef4d4b772ff47ade5679fd6183074909d3685e02eb98c2f4f551da9ebbcd0daafe8

Download Submit
C:\Users\Admin\grubb.list

Filesize
40KB

MD5
244e7e0c095fb583117dd8ce46127d18

SHA1
f868d587221b11be5cb95ba3db2909362afe4049

SHA256
6f1499052a7aa67cc37c4255ec35d1e2bcda86654cf4ba0306f6338fef7dffcb

SHA512
795af7434d0a813843e606003d7e5a79e5c7bd27337ffe87c7e2d3136771e7fd1bb4aa4d5f853bf9613a3c5a6e016f0aee8b2b99918dbe9594cd24268b48d52b

Download Submit
C:\Users\Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locxdob.exe

Filesize
2.7MB

MD5
aa03984a442eff40b9fa3dbac8a16f3e

SHA1
3f2f564855d5dfb082dd32176819543ee7eaa1cb

SHA256
3ea8ab3569a7c20aaec11ec3ea9c60a9c8ec9df51c2a2429131058d80f1572bd

SHA512
e8c3b6a4cba896aaba48b288c858e3c7c545cd5ceda3ea342e80c8ee2942f6c064d086d4cdf9f6bed71a4a64ff1b0885603ff0a5b4ec68a41d49cc1860fa16a9

Download Submit