e6b8d0a1dd709f2f56dbb21dc03913ad9efa7ebf7e2fd21805956d1a95f56bd6

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27/05/2024, 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe
Size

2.6MB
MD5

1472ede8b6ff7b8953f3a03087c432d0
SHA1

5dbcfc62a26e8e8097c78451d228c552c2264224
SHA256

e6b8d0a1dd709f2f56dbb21dc03913ad9efa7ebf7e2fd21805956d1a95f56bd6
SHA512

02e1b866518e5c1c281308b44b5293a58b6f60be2df1937a60e2fe06f4ee142d9c2c137caf7568d7754c35a2a81f488ab9ec3f3fb3c841e5fe8e43f76e0dbbfa
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bS:sxX7QnxrloE5dpUpSb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
3048	sysadob.exe
1732	devoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
3016	1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe
3016	1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeHM\\devoptisys.exe"	1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxR6\\dobxloc.exe"	1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3016	1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe
3016	1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe
3048	sysadob.exe
1732	devoptisys.exe
3048	sysadob.exe
1732	devoptisys.exe
3048	sysadob.exe
1732	devoptisys.exe
3048	sysadob.exe
1732	devoptisys.exe
3048	sysadob.exe
1732	devoptisys.exe
3048	sysadob.exe
1732	devoptisys.exe
3048	sysadob.exe
1732	devoptisys.exe
3048	sysadob.exe
1732	devoptisys.exe
3048	sysadob.exe
1732	devoptisys.exe
3048	sysadob.exe
1732	devoptisys.exe
3048	sysadob.exe
1732	devoptisys.exe
3048	sysadob.exe
1732	devoptisys.exe
3048	sysadob.exe
1732	devoptisys.exe
3048	sysadob.exe
1732	devoptisys.exe
3048	sysadob.exe
1732	devoptisys.exe
3048	sysadob.exe
1732	devoptisys.exe
3048	sysadob.exe
1732	devoptisys.exe
3048	sysadob.exe
1732	devoptisys.exe
3048	sysadob.exe
1732	devoptisys.exe
3048	sysadob.exe
1732	devoptisys.exe
3048	sysadob.exe
1732	devoptisys.exe
3048	sysadob.exe
1732	devoptisys.exe
3048	sysadob.exe
1732	devoptisys.exe
3048	sysadob.exe
1732	devoptisys.exe
3048	sysadob.exe
1732	devoptisys.exe
3048	sysadob.exe
1732	devoptisys.exe
3048	sysadob.exe
1732	devoptisys.exe
3048	sysadob.exe
1732	devoptisys.exe
3048	sysadob.exe
1732	devoptisys.exe
3048	sysadob.exe
1732	devoptisys.exe
3048	sysadob.exe
1732	devoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 3048	3016	1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe	28
PID 3016 wrote to memory of 3048	3016	1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe	28
PID 3016 wrote to memory of 3048	3016	1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe	28
PID 3016 wrote to memory of 3048	3016	1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe	28
PID 3016 wrote to memory of 1732	3016	1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe	29
PID 3016 wrote to memory of 1732	3016	1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe	29
PID 3016 wrote to memory of 1732	3016	1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe	29
PID 3016 wrote to memory of 1732	3016	1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3048
- C:\AdobeHM\devoptisys.exe
  C:\AdobeHM\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeHM\devoptisys.exe

Filesize
2.6MB

MD5
05a3c45c928f2c132dc16e9d9dcc8870

SHA1
2a48e9ae05d8e7f4972a39950f5792bf8f1ed590

SHA256
0c462b5455be46292eac29f24d18b83b8671d12180c798ac21934223fae3a0a9

SHA512
c3032019b97c58034f842d9283f844d5249efa40b4240a53244d54ea767080348fcc85f58094ba5451745b2e578670a571722b274da73a81e0bef8d31a17ed94

Download Submit
C:\GalaxR6\dobxloc.exe

Filesize
9KB

MD5
bceeb783568178019cfa9ce19da30a69

SHA1
3918c6d01f7a27b2a71133015ea935c5555085ff

SHA256
41737594ceef89e9d4d0389deb11f042ea5d02e903e1359b3110a565e7c0b1bd

SHA512
7f5f1ad508c1398430e588ab45f558d602b62af4ef7015ce011fe61ef27edee18de0252583558376c713ddc3fdba30604a1b0746cd79acd745c19075f7a1bbf0

Download Submit
C:\GalaxR6\dobxloc.exe

Filesize
8KB

MD5
1c31992317278cbfbb062cd4732b9020

SHA1
b2953bc21d0bbd03b25aba4e7b3d56cc63708195

SHA256
0b2e7da6fe13e1abfc05dc31898f9758e2b90fe94d3847eff578d06e33ba20b0

SHA512
a5b02c17136be2ad9ac5c6a2585c1d7c84233d35eef6ba3067f7e8ca22977de16026663f8caeff0cd96ab4385a960bba9a5ec07876508d7fcf403cee572a75bb

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
d920626d821f1a90f47fbb1a23eba083

SHA1
1a0ab15339fb38bd6712bfb2a3f879b45ef01f54

SHA256
67cd9cfa210b10158e68c72a08e6e0cf41feb0414ac17c6fe90c145ae2eab585

SHA512
23a5878d58438812d3dcde0013f3cac463d90722023bc0e9da168c5e029d299ca90689997be0ea8626713c809de98292294d2600d99daed119c47f58a0cd1409

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
b0f01d5b1bfa96d3607155e973c1b501

SHA1
a40d221aff4af6220a9531ba807f75798975508e

SHA256
265aa1d6bc544f588b6cbe6e46a0cf11788ba83badeefdbdd07ae29beff66042

SHA512
2bcbc289ecb39c1f935539c5dd8df58fd13803c5330394ecd81b9206eb364d7dcfaf4edefbd4fb87aa2a2014d994d9b143134805e8dd369a3690684b318437e4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
2.6MB

MD5
52a526489969e5ecd372caf897aa8da7

SHA1
4ea29ee99841ffe3c8228c9c681af72c508df085

SHA256
df658195e5844a6b1e59055a3e35810111e4f7451ad90830e7e68bc972455d0f

SHA512
ebcec5846cf763f26df44fbb9edeaa5508cf45527291c67ff85bc14b2fdd54c05c8893a6e0e3552dafd85a24ab7240f80fc46c5d9cbb6603bab9835080e64134

Download Submit