c31a7a410821ca100cd4423b0f7bfd902a8a5187f03b6cdc280dd756fae91d64

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25/05/2024, 20:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1bcbd66f4349105f78b4de34247b5520_NeikiAnalytics.exe
Size

3.0MB
MD5

1bcbd66f4349105f78b4de34247b5520
SHA1

05aa16b1d80b3990b7a29ab203583ac9f8edf4ac
SHA256

c31a7a410821ca100cd4423b0f7bfd902a8a5187f03b6cdc280dd756fae91d64
SHA512

f5cfcc0a21b0b28a983519926e167e9032562aba67f56e8ff33e0eeb350473156427fd96ca962de09255b9e86bfd9cb2b6ca3b30e33d3d3f191fc4d888b4972e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bSqz8b6LNX:sxX7QnxrloE5dpUp1bVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	1bcbd66f4349105f78b4de34247b5520_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
3000	sysdevdob.exe
2712	adobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
1920	1bcbd66f4349105f78b4de34247b5520_NeikiAnalytics.exe
1920	1bcbd66f4349105f78b4de34247b5520_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe2R\\adobsys.exe"	1bcbd66f4349105f78b4de34247b5520_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidJX\\dobxec.exe"	1bcbd66f4349105f78b4de34247b5520_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1920	1bcbd66f4349105f78b4de34247b5520_NeikiAnalytics.exe
1920	1bcbd66f4349105f78b4de34247b5520_NeikiAnalytics.exe
3000	sysdevdob.exe
2712	adobsys.exe
3000	sysdevdob.exe
2712	adobsys.exe
3000	sysdevdob.exe
2712	adobsys.exe
3000	sysdevdob.exe
2712	adobsys.exe
3000	sysdevdob.exe
2712	adobsys.exe
3000	sysdevdob.exe
2712	adobsys.exe
3000	sysdevdob.exe
2712	adobsys.exe
3000	sysdevdob.exe
2712	adobsys.exe
3000	sysdevdob.exe
2712	adobsys.exe
3000	sysdevdob.exe
2712	adobsys.exe
3000	sysdevdob.exe
2712	adobsys.exe
3000	sysdevdob.exe
2712	adobsys.exe
3000	sysdevdob.exe
2712	adobsys.exe
3000	sysdevdob.exe
2712	adobsys.exe
3000	sysdevdob.exe
2712	adobsys.exe
3000	sysdevdob.exe
2712	adobsys.exe
3000	sysdevdob.exe
2712	adobsys.exe
3000	sysdevdob.exe
2712	adobsys.exe
3000	sysdevdob.exe
2712	adobsys.exe
3000	sysdevdob.exe
2712	adobsys.exe
3000	sysdevdob.exe
2712	adobsys.exe
3000	sysdevdob.exe
2712	adobsys.exe
3000	sysdevdob.exe
2712	adobsys.exe
3000	sysdevdob.exe
2712	adobsys.exe
3000	sysdevdob.exe
2712	adobsys.exe
3000	sysdevdob.exe
2712	adobsys.exe
3000	sysdevdob.exe
2712	adobsys.exe
3000	sysdevdob.exe
2712	adobsys.exe
3000	sysdevdob.exe
2712	adobsys.exe
3000	sysdevdob.exe
2712	adobsys.exe
3000	sysdevdob.exe
2712	adobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 3000	1920	1bcbd66f4349105f78b4de34247b5520_NeikiAnalytics.exe	28
PID 1920 wrote to memory of 3000	1920	1bcbd66f4349105f78b4de34247b5520_NeikiAnalytics.exe	28
PID 1920 wrote to memory of 3000	1920	1bcbd66f4349105f78b4de34247b5520_NeikiAnalytics.exe	28
PID 1920 wrote to memory of 3000	1920	1bcbd66f4349105f78b4de34247b5520_NeikiAnalytics.exe	28
PID 1920 wrote to memory of 2712	1920	1bcbd66f4349105f78b4de34247b5520_NeikiAnalytics.exe	29
PID 1920 wrote to memory of 2712	1920	1bcbd66f4349105f78b4de34247b5520_NeikiAnalytics.exe	29
PID 1920 wrote to memory of 2712	1920	1bcbd66f4349105f78b4de34247b5520_NeikiAnalytics.exe	29
PID 1920 wrote to memory of 2712	1920	1bcbd66f4349105f78b4de34247b5520_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\1bcbd66f4349105f78b4de34247b5520_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1bcbd66f4349105f78b4de34247b5520_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3000
- C:\Adobe2R\adobsys.exe
  C:\Adobe2R\adobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe2R\adobsys.exe

Filesize
3.0MB

MD5
3fbbb781ff17362321510b3e43035f55

SHA1
15b168ed2a31f132c7fc7b8e62a6f7e24e040b97

SHA256
48f8fbb6996820ec52ba0bac6a90915fab4a9393a105c177d5e5f1a335588890

SHA512
d58830459c8b7acb85a3044a45ff60f5fbf9baa3234e4d9f59673d5c783726bc1ec808a78a0b54b24077ab03de7d76565814f5493d0f89465ea63b28c95aa8cf

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
111cb989ac964da8ec2c73486e7b446e

SHA1
71d284e866b4a4e23820a0678c1b634e376ae76c

SHA256
14927d49184438050b39153990e3ddc674c2ad371e49cf81faaa8b331cadebae

SHA512
ae360f4848d7cc16871b3368948aad58f67867741c5b3ca4d3906a053b057fca04299caee893747129714666019495e0d923d2945d84b0ea8eee0942ea7993c7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
a40c6bf45ca5d39f6f468e118767838f

SHA1
aea51b24f5c8c083debe8efb38945b49e955d1fa

SHA256
8ce61d94048817002cff89b1f26ce3779c7b5573ec7a964ac4a9e625d35b5641

SHA512
96165b4bfa599003f2911be7ca1c4496b7a62b0283693f58fb9270576d3bcbb87205e352325b20e639a8377e8aaf4532106e9f4a5ff1e08d0dcf4dd084fad072

Download Submit
C:\VidJX\dobxec.exe

Filesize
3.0MB

MD5
a4aa3e4bc7ee3cc15c9ec1d0bdaf3d43

SHA1
b4576404ee64aa1463ec836d36ba2b3640d12236

SHA256
8d6a7fff67140abb70541ec144afe477259d85ad26e045262ada67316a7f5c56

SHA512
c254b8257ec644ad0d6af245b70e92fa9370d97d44c9c30257b2bc963750a850fb2ab2583bab0201e1e7344eced6accc93f85cf45bbabed703d9ea45f16c921e

Download Submit
C:\VidJX\dobxec.exe

Filesize
3.0MB

MD5
13c28e5de16779adf148de70a3b27380

SHA1
b3b4bff8e4899c8fe5dd82125bbaa47255d261fd

SHA256
b43dd2d7ba603d9d3534ddfa3ab9ab8314987f0ea0e387c86804c9155bf2b06e

SHA512
a36280c489e70a943217dfcb268c2b5e1bf60f5b841b24829c70a039084e8a27cdfb6eaff22992ca5b61d82300233874ecae89c5b345741fe79d652c0193c338

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
3.0MB

MD5
112914a2c852496575e715b890ffa6ca

SHA1
1be0818a57e842ae7fb38fb420ff6339567ac125

SHA256
8040cf77ed903ba4150410b5ae414183c199d878f5657b6532bcb57b3ff455b3

SHA512
520c55a229a11bc4ffc19985d0ea904d7383cde1bc0e10d52a888d47c8ffcf0e10f5a829947903537437fce404086a4bf265e6f64bb20bf2f5958b02e2943c23

Download Submit