14e0e41e42aa7293bb2e59e0ad0733d25905789ce48a1caa488fc14a0ec497b5

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27/05/2024, 02:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

183694031677c7229e5ed17f8c7f6d90_NeikiAnalytics.exe
Size

3.0MB
MD5

183694031677c7229e5ed17f8c7f6d90
SHA1

62f15b3a1384fd60d6b984ffff32af9533cf1871
SHA256

14e0e41e42aa7293bb2e59e0ad0733d25905789ce48a1caa488fc14a0ec497b5
SHA512

faf7c9dd5bf134d5857b0096570d4a7d9c1ddb031fae573f7d2092823297faae01637a70260e4c7f37bf875ec058dd24bd829b359c2f03b17564539c52b52b14
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB9B/bSqz8b6LNX:sxX7QnxrloE5dpUp+bVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	183694031677c7229e5ed17f8c7f6d90_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1632	sysdevdob.exe
2132	adobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
1724	183694031677c7229e5ed17f8c7f6d90_NeikiAnalytics.exe
1724	183694031677c7229e5ed17f8c7f6d90_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe2R\\adobsys.exe"	183694031677c7229e5ed17f8c7f6d90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidJX\\dobxec.exe"	183694031677c7229e5ed17f8c7f6d90_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1724	183694031677c7229e5ed17f8c7f6d90_NeikiAnalytics.exe
1724	183694031677c7229e5ed17f8c7f6d90_NeikiAnalytics.exe
1632	sysdevdob.exe
2132	adobsys.exe
1632	sysdevdob.exe
2132	adobsys.exe
1632	sysdevdob.exe
2132	adobsys.exe
1632	sysdevdob.exe
2132	adobsys.exe
1632	sysdevdob.exe
2132	adobsys.exe
1632	sysdevdob.exe
2132	adobsys.exe
1632	sysdevdob.exe
2132	adobsys.exe
1632	sysdevdob.exe
2132	adobsys.exe
1632	sysdevdob.exe
2132	adobsys.exe
1632	sysdevdob.exe
2132	adobsys.exe
1632	sysdevdob.exe
2132	adobsys.exe
1632	sysdevdob.exe
2132	adobsys.exe
1632	sysdevdob.exe
2132	adobsys.exe
1632	sysdevdob.exe
2132	adobsys.exe
1632	sysdevdob.exe
2132	adobsys.exe
1632	sysdevdob.exe
2132	adobsys.exe
1632	sysdevdob.exe
2132	adobsys.exe
1632	sysdevdob.exe
2132	adobsys.exe
1632	sysdevdob.exe
2132	adobsys.exe
1632	sysdevdob.exe
2132	adobsys.exe
1632	sysdevdob.exe
2132	adobsys.exe
1632	sysdevdob.exe
2132	adobsys.exe
1632	sysdevdob.exe
2132	adobsys.exe
1632	sysdevdob.exe
2132	adobsys.exe
1632	sysdevdob.exe
2132	adobsys.exe
1632	sysdevdob.exe
2132	adobsys.exe
1632	sysdevdob.exe
2132	adobsys.exe
1632	sysdevdob.exe
2132	adobsys.exe
1632	sysdevdob.exe
2132	adobsys.exe
1632	sysdevdob.exe
2132	adobsys.exe
1632	sysdevdob.exe
2132	adobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 1632	1724	183694031677c7229e5ed17f8c7f6d90_NeikiAnalytics.exe	28
PID 1724 wrote to memory of 1632	1724	183694031677c7229e5ed17f8c7f6d90_NeikiAnalytics.exe	28
PID 1724 wrote to memory of 1632	1724	183694031677c7229e5ed17f8c7f6d90_NeikiAnalytics.exe	28
PID 1724 wrote to memory of 1632	1724	183694031677c7229e5ed17f8c7f6d90_NeikiAnalytics.exe	28
PID 1724 wrote to memory of 2132	1724	183694031677c7229e5ed17f8c7f6d90_NeikiAnalytics.exe	29
PID 1724 wrote to memory of 2132	1724	183694031677c7229e5ed17f8c7f6d90_NeikiAnalytics.exe	29
PID 1724 wrote to memory of 2132	1724	183694031677c7229e5ed17f8c7f6d90_NeikiAnalytics.exe	29
PID 1724 wrote to memory of 2132	1724	183694031677c7229e5ed17f8c7f6d90_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\183694031677c7229e5ed17f8c7f6d90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\183694031677c7229e5ed17f8c7f6d90_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1632
- C:\Adobe2R\adobsys.exe
  C:\Adobe2R\adobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe2R\adobsys.exe

Filesize
3.0MB

MD5
a8845d48dd22efc5d5f688f6c995b5ae

SHA1
3bba927a868c66133243a4d871d645d2c743142e

SHA256
90ca2dcb45e556aeb307cf8ffb2e7efaf83d3ef555e3aa49e9355c18290aa083

SHA512
acd50735e55a9a5bcd5bb34898f31c476fa836e36a796837b806272ab55db4b8189e1cf0e50f8c914bb7acdb4c8f22deca470ce9220a75716cd66a53f1bd8a3c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
111cb989ac964da8ec2c73486e7b446e

SHA1
71d284e866b4a4e23820a0678c1b634e376ae76c

SHA256
14927d49184438050b39153990e3ddc674c2ad371e49cf81faaa8b331cadebae

SHA512
ae360f4848d7cc16871b3368948aad58f67867741c5b3ca4d3906a053b057fca04299caee893747129714666019495e0d923d2945d84b0ea8eee0942ea7993c7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
a40c6bf45ca5d39f6f468e118767838f

SHA1
aea51b24f5c8c083debe8efb38945b49e955d1fa

SHA256
8ce61d94048817002cff89b1f26ce3779c7b5573ec7a964ac4a9e625d35b5641

SHA512
96165b4bfa599003f2911be7ca1c4496b7a62b0283693f58fb9270576d3bcbb87205e352325b20e639a8377e8aaf4532106e9f4a5ff1e08d0dcf4dd084fad072

Download Submit
C:\VidJX\dobxec.exe

Filesize
3.0MB

MD5
c48257ebe2cc3339f95bec904f58bd21

SHA1
9c113d89c3a2bf275bf6bbf8388adf59cee62c19

SHA256
6a81065a9e7d139ae0bf06b4ebc3eb94c53b7d92cac9c04d5e24231550cc558e

SHA512
1cf4927c40889857181928025969fe22714adaf2dd0b8cc5ba8e007560badfcb2e3425681c4845d852e95d84a1af9f27092acd26383768ce8726d78503cf1d05

Download Submit
C:\VidJX\dobxec.exe

Filesize
5KB

MD5
17b398df2ec540a4a99c651e6c79fb0c

SHA1
e84844c0dbc3c2b504427b50b4e5bf0d1131f803

SHA256
7d0f37cc24fb3edcb5ddc7ae98ede490bb599fb6b9e0bc5aa1719a4bab03ba04

SHA512
353e9bca38e949299279ac1474db632ae08da29f1cfe3e55ea9bcc08ecf7bc252c689454f4d3fe1c0d5920cc1f2700098bd783ad771c0579c1cce540c9d4172d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
3.0MB

MD5
4194d26ca7563465a697d7b4e09af246

SHA1
ac18c7e8d1e702732e88decaf6152d9b284dc86a

SHA256
c7b3cf8b2a0d984c827bb2f48e2801f255bcd3b46d107050700c039e189bb55c

SHA512
5e552e36855d965c557cf52a55257cc27c2ac91f68bf05227028965953e758e3bcf2bc09e9b95501b38db5cc891d350f8771ca2312a9e5154da7aedc6a5bc648

Download Submit