b8593c7ab9d69fa724ca0c6498ee8900a2e7f25430669a5c3194eadebe795b5c

General

Target

7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
Size

4.1MB
MD5

7d2904bf315ecd17d3218f888b325d10
SHA1

91abbc79d24b79bf11fd05f46bcf3c11beb803fe
SHA256

b8593c7ab9d69fa724ca0c6498ee8900a2e7f25430669a5c3194eadebe795b5c
SHA512

41b170252445eb597647fc0d2e60e95f1f59223de8152303666c817a048302f8951789d4eeb9eb9b0edfcf75b6f712bf85d5f4ac94380948817b5c89e7253ec2
SSDEEP

98304:+R0pI/IQlUoMPdmpSpv4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdm05n9klRKN41v

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exeadobec.exe

pid process

1908 AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe
2600 adobec.exe
Loads dropped DLL 2 IoCs

Processes:

7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe

pid process

2248 7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
2248 7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe
2600	adobec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files7D\\adobec.exe"	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBGL\\dobxloc.exe"	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

NETSTAT.EXEipconfig.exe

pid process

1244 NETSTAT.EXE
2352 ipconfig.exe

pid	process
1244	NETSTAT.EXE
2352	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exeAdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exeadobec.exe

pid	process
2248	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
2248	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe
2600	adobec.exe
2248	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe
2600	adobec.exe
2248	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe
2600	adobec.exe
2248	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe
2600	adobec.exe
2248	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe
2600	adobec.exe
2248	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe
2600	adobec.exe
2248	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe
2600	adobec.exe
2248	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe
2600	adobec.exe
2248	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe
2600	adobec.exe
2248	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe
2600	adobec.exe
2248	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe
2600	adobec.exe
2248	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe
2600	adobec.exe
2248	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe
2600	adobec.exe
2248	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe
2600	adobec.exe
2248	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe
2600	adobec.exe
2248	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe
2600	adobec.exe
2248	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe
2600	adobec.exe
2248	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe
2600	adobec.exe
2248	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe
2600	adobec.exe
2248	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe
2600	adobec.exe
2248	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe
2600	adobec.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

NETSTAT.EXE

description pid process

Token: SeDebugPrivilege 1244 NETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	1244	NETSTAT.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exeAdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.execmd.execmd.exe

description	pid	process	target process
PID 2248 wrote to memory of 1908	2248	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe
PID 2248 wrote to memory of 1908	2248	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe
PID 2248 wrote to memory of 1908	2248	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe
PID 2248 wrote to memory of 1908	2248	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe
PID 2248 wrote to memory of 2600	2248	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe	adobec.exe
PID 2248 wrote to memory of 2600	2248	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe	adobec.exe
PID 2248 wrote to memory of 2600	2248	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe	adobec.exe
PID 2248 wrote to memory of 2600	2248	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe	adobec.exe
PID 1908 wrote to memory of 1768	1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe	cmd.exe
PID 1908 wrote to memory of 1768	1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe	cmd.exe
PID 1908 wrote to memory of 1768	1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe	cmd.exe
PID 1908 wrote to memory of 1768	1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe	cmd.exe
PID 1908 wrote to memory of 1804	1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe	cmd.exe
PID 1908 wrote to memory of 1804	1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe	cmd.exe
PID 1908 wrote to memory of 1804	1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe	cmd.exe
PID 1908 wrote to memory of 1804	1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe	cmd.exe
PID 1908 wrote to memory of 1684	1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe	cmd.exe
PID 1908 wrote to memory of 1684	1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe	cmd.exe
PID 1908 wrote to memory of 1684	1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe	cmd.exe
PID 1908 wrote to memory of 1684	1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe	cmd.exe
PID 1768 wrote to memory of 2352	1768	cmd.exe	ipconfig.exe
PID 1768 wrote to memory of 2352	1768	cmd.exe	ipconfig.exe
PID 1768 wrote to memory of 2352	1768	cmd.exe	ipconfig.exe
PID 1768 wrote to memory of 2352	1768	cmd.exe	ipconfig.exe
PID 1804 wrote to memory of 1244	1804	cmd.exe	NETSTAT.EXE
PID 1804 wrote to memory of 1244	1804	cmd.exe	NETSTAT.EXE
PID 1804 wrote to memory of 1244	1804	cmd.exe	NETSTAT.EXE
PID 1804 wrote to memory of 1244	1804	cmd.exe	NETSTAT.EXE
PID 1908 wrote to memory of 2744	1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe	cmd.exe
PID 1908 wrote to memory of 2744	1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe	cmd.exe
PID 1908 wrote to memory of 2744	1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe	cmd.exe
PID 1908 wrote to memory of 2744	1908	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2248

C:\Users\AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe
C:\Users\AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig > C:\Users\Admin\ipconfig.txt
3⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\ipconfig.exe
ipconfig
4⤵
- Gathers network information
PID:2352

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c netstat -a > C:\Users\Admin\netstat.txt
3⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\NETSTAT.EXE
netstat -a
4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c dir C:\*.txt /b /s >> C:\Users\Admin\grubb.list
3⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c dir C:\*.doc /b /s >> C:\Users\Admin\grubb.list
3⤵
PID:2744

C:\Files7D\adobec.exe
C:\Files7D\adobec.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2600

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files7D\adobec.exe
Filesize
4.1MB

MD5
fcb7664101281720745a9866b59966de

SHA1
75ed4bd2131c584eb41f1fe017e35567d7d700f1

SHA256
70de7f333e5aee4e4352f320a91f78a5b53c51ca492e92a07185063bcf688666

SHA512
81963a88ef704f83cc6ba8958e0211f940fbd3b3802b224700ce4b4e72bdedaa2de9548a676872782839bc125e7f67af9fcdb51a7298f1c3e4d5a9c9411a1470

Download Submit
C:\KaVBGL\dobxloc.exe
Filesize
9KB

MD5
676d55289ebe3b95f7296c256f4e82c2

SHA1
e60fbfe20f6dd5e273a0227788c9737ab9d0dc40

SHA256
4867ed928df39dede7eab002d04b85c682bda0ce96a32a6a33727628533d99db

SHA512
f22d87cd5f6b42194b6e873536fa1708a76308c650bbac952cbbe2e1ff6d7ec7e3dd9d2fc548fcde369b32f35c3cf65558db74c57f1b0e0b1ffa1edffbb007db

Download Submit
C:\KaVBGL\dobxloc.exe
Filesize
4.1MB

MD5
99a44bb729060714e6719bcbbf3e6355

SHA1
d5c882015bc67b440660427b270e880d46acee9b

SHA256
f652d57407e899f0ebfe0670612e9614b46443174f0b2e4802170fa77268b44d

SHA512
ecebf3e70e48a9672906e551c3fc6df4fc55e27f4d6ee7143a7d83420db8685e7aced4ce816c72ca8751ff353c63d99209d7546402254be6424d309d5690376f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini
Filesize
200B

MD5
90bc728bf4393f70968288b4833e47d7

SHA1
acae75a792d4d9c98fa11a5356541339bde15957

SHA256
9217c1e007cd5537c4efd84767122eeac00a5f3126af58ab7bfaef8e4a53eb6a

SHA512
7a4cc818e78cd6e500ab3e0e1614e68a1ed80e7aea4dd4052a55f85e6bbf58afa45d0669a61a578a88747d991a74dcf7e785e504aa0e8e7ad7d64089578d6512

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini
Filesize
200B

MD5
6b67ad21c1d46afe584dba2a33a8908b

SHA1
3784cee9fea6a1468f30bb5b6992be2c5e390db5

SHA256
2e7a286da984f5228e377c278a8a52cbdbeca4b20aca2f25b14c824bc35b75e8

SHA512
f249fd9d01315a431be147fafbcba345eedfc6341d114f3164112c0650260ad146c9ff69fa9d1e4c20405dd9bc4d1874797b3ac2867bfd315a02f621b37f8aeb

Download Submit
C:\Users\Admin\grubb.list
Filesize
262KB

MD5
3b0bae71ab02a106d839b5075cbcf90d

SHA1
743bc9e40951a6ba442394e274c7992a8e036d6a

SHA256
5c1cf3363bff52fd81add9e11ce0704bd36b3a81a0ff7b069256dfb0ebb40440

SHA512
659fe0d24db4569adf615511e8f8bbc3227d657b538f8d46ccf128da42fafd2a6120e780ad18b62729909cd922cf2e28ccebea6c36e57544431e9b289435f986

Download Submit
\Users\AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbsysaopti.exe
Filesize
4.1MB

MD5
267fe7f06d64d1a15468e46dd1fd5738

SHA1
bd17197d1fd3d93cf48ff5fe20be3213851498f8

SHA256
c522b05cedb6ff65cf8ce143502f3c73e850af4564e000acb56dedc670ef62f4

SHA512
dd8f33c1146f7f67d45e8410775b5a30e9bd69043273754463b53aa9cd8bf40169bfdaf3446e422d4e99ca2fbca97ff14197ba5d91baf74256c9a5d0dbe891a0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads