04a10784b3027a3ba0fb91b386a9d4258651b19dee8cf425588c5d25230b219c

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33a9720f65196caf040dd104bd9a34d0_NeikiAnalytics.exe
Size

3.6MB
MD5

33a9720f65196caf040dd104bd9a34d0
SHA1

26b48cc87165d484ee711491b9fb06ee2d9d65bc
SHA256

04a10784b3027a3ba0fb91b386a9d4258651b19dee8cf425588c5d25230b219c
SHA512

9154ca396a05731c7fd08a49e04c9efd64647e5f7702557a14e74e3139494180458305cf0180f57b1da97732252c063d826eea3438d84f95a803ba8663df1783
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB4B/bSqz8:sxX7QnxrloE5dpUpHbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	33a9720f65196caf040dd104bd9a34d0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1964	ecdevbod.exe
2032	adobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2128	33a9720f65196caf040dd104bd9a34d0_NeikiAnalytics.exe
2128	33a9720f65196caf040dd104bd9a34d0_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesFG\\adobsys.exe"	33a9720f65196caf040dd104bd9a34d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ1S\\dobdevsys.exe"	33a9720f65196caf040dd104bd9a34d0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2128	33a9720f65196caf040dd104bd9a34d0_NeikiAnalytics.exe
2128	33a9720f65196caf040dd104bd9a34d0_NeikiAnalytics.exe
1964	ecdevbod.exe
2032	adobsys.exe
1964	ecdevbod.exe
2032	adobsys.exe
1964	ecdevbod.exe
2032	adobsys.exe
1964	ecdevbod.exe
2032	adobsys.exe
1964	ecdevbod.exe
2032	adobsys.exe
1964	ecdevbod.exe
2032	adobsys.exe
1964	ecdevbod.exe
2032	adobsys.exe
1964	ecdevbod.exe
2032	adobsys.exe
1964	ecdevbod.exe
2032	adobsys.exe
1964	ecdevbod.exe
2032	adobsys.exe
1964	ecdevbod.exe
2032	adobsys.exe
1964	ecdevbod.exe
2032	adobsys.exe
1964	ecdevbod.exe
2032	adobsys.exe
1964	ecdevbod.exe
2032	adobsys.exe
1964	ecdevbod.exe
2032	adobsys.exe
1964	ecdevbod.exe
2032	adobsys.exe
1964	ecdevbod.exe
2032	adobsys.exe
1964	ecdevbod.exe
2032	adobsys.exe
1964	ecdevbod.exe
2032	adobsys.exe
1964	ecdevbod.exe
2032	adobsys.exe
1964	ecdevbod.exe
2032	adobsys.exe
1964	ecdevbod.exe
2032	adobsys.exe
1964	ecdevbod.exe
2032	adobsys.exe
1964	ecdevbod.exe
2032	adobsys.exe
1964	ecdevbod.exe
2032	adobsys.exe
1964	ecdevbod.exe
2032	adobsys.exe
1964	ecdevbod.exe
2032	adobsys.exe
1964	ecdevbod.exe
2032	adobsys.exe
1964	ecdevbod.exe
2032	adobsys.exe
1964	ecdevbod.exe
2032	adobsys.exe
1964	ecdevbod.exe
2032	adobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 1964	2128	33a9720f65196caf040dd104bd9a34d0_NeikiAnalytics.exe	28
PID 2128 wrote to memory of 1964	2128	33a9720f65196caf040dd104bd9a34d0_NeikiAnalytics.exe	28
PID 2128 wrote to memory of 1964	2128	33a9720f65196caf040dd104bd9a34d0_NeikiAnalytics.exe	28
PID 2128 wrote to memory of 1964	2128	33a9720f65196caf040dd104bd9a34d0_NeikiAnalytics.exe	28
PID 2128 wrote to memory of 2032	2128	33a9720f65196caf040dd104bd9a34d0_NeikiAnalytics.exe	29
PID 2128 wrote to memory of 2032	2128	33a9720f65196caf040dd104bd9a34d0_NeikiAnalytics.exe	29
PID 2128 wrote to memory of 2032	2128	33a9720f65196caf040dd104bd9a34d0_NeikiAnalytics.exe	29
PID 2128 wrote to memory of 2032	2128	33a9720f65196caf040dd104bd9a34d0_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\33a9720f65196caf040dd104bd9a34d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\33a9720f65196caf040dd104bd9a34d0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1964
- C:\FilesFG\adobsys.exe
  C:\FilesFG\adobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesFG\adobsys.exe

Filesize
3.6MB

MD5
68ea8545253045eefc7d1fc2257e6dc2

SHA1
91f5768a8219b7e60e1b3af79782fb4f76995f15

SHA256
f308f62884a3390bb9f7b3ccd7a68fa776d33cd55f287b08ba1f0fc1128ecc33

SHA512
c6e1c611c47ad260e3aa6bd3a6806058df4bad450c2c3a7d6e4e738694b4a9dddade2b5316c988149b7f23d8ef1555883932aa6174012007a1ce0f1d78bff66b

Download Submit
C:\LabZ1S\dobdevsys.exe

Filesize
3.6MB

MD5
ad3a7aad7e11a51345418ae1b88b7c9f

SHA1
474a05efe8405e0c6fc5ae2e236ce9d7b4170e17

SHA256
f7458e9d39cc842034b17ec89ff87c6ce77c515bc80e59cd9b6be1d8f4b4d942

SHA512
26ba0491cfd9afc2f18aa4a03951a7cd5fb5bedb47dd4611a4f81af0cfb7197bdce01b9ae6bc6d2ab570eca8d562d50edb8b28f83b5c97d4d533c0a4d974bf86

Download Submit
C:\LabZ1S\dobdevsys.exe

Filesize
67KB

MD5
5e9c9f263ab521a277f92ffd76f69638

SHA1
98086290190236f00f16b4d2a8138e9a86d06abd

SHA256
03a556eff04fb708e74657b7c046fb04a0ab7fdbfc15eeb435f0300dbca83884

SHA512
818a00a108f6a1cbe568d02112d29c26e0b3f4796d839c7c12c1bae493f364cd5da7e1807ca9b0be06208e398211b04f9084ef28a6ca88ccce756ffdd1fea124

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
b5a415b62a0cbdeb9814db527cc460bf

SHA1
44adaf06f3c836772ba86f52d4fbb59ef9a3c22b

SHA256
0e2e57d4341fcf99bdcc1ac36ab6f6e36cf2f2a030288cf75d64b80b719b87e2

SHA512
8e0fbb65789c939b1ba33a40f83f0f1cb54b6a5a25c1d62494d5b9cb84c8f8a6ee47688a92f5be142e4542eb9341f0a24d53ea484313ee1f3498054a17b263ce

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
29147e1d0f8fe7d500f7e6bd328f2d7f

SHA1
23f552733188851ff5048ad60b223c95bea475cf

SHA256
0b77746cf7b6202e1279bf35ea38c2248263cc6f6eb25549393083b769f714fb

SHA512
6ecc245f55eab2d8dd3a65a8f00ea92985d977c50fb6b13711c9441652d058adbed15c1293221ee9d4827eaa11d365e2d01ac78bd07245a1cb7a4443871799b8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
3.6MB

MD5
19b36496e32a4cee5a1b2d93ae148ecd

SHA1
7085712e6f38ae3f549a0b85e6862c6cc924f712

SHA256
018c764f900012c93c0e591e3f15756dea56218512be7c4bd501766312216a49

SHA512
c6d8548b38ef125bd158ec9c58c530024df488ee776d9a06d834a69234a301413a039635b206fc34743395756bb195598e78fb9bc4b849910af3478a5e69c1e2

Download Submit