06b544da879fe2892952849008128ced6943c35678de2156c248590c230dab82

General

Target

246e750d3fcbc7fa2ae488b8a6588980_NeikiAnalytics.exe
Size

4.0MB
MD5

246e750d3fcbc7fa2ae488b8a6588980
SHA1

e6343a5edb6e844accfb65a591cb501fc765f730
SHA256

06b544da879fe2892952849008128ced6943c35678de2156c248590c230dab82
SHA512

b37d95bc688825daf00927e0ce6ebe16f8703bf94ed78b2a412fa409639c258a02e1618b119b49507430f2799a85a2e21b8b83ea7dc8ff83e8c9bdd233b6af85
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpBbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

246e750d3fcbc7fa2ae488b8a6588980_NeikiAnalytics.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	246e750d3fcbc7fa2ae488b8a6588980_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

Processes:

ecxdob.exexdobloc.exe

pid process

4716 ecxdob.exe
4060 xdobloc.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4716	ecxdob.exe
4060	xdobloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

246e750d3fcbc7fa2ae488b8a6588980_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc8V\\xdobloc.exe"	246e750d3fcbc7fa2ae488b8a6588980_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidUM\\boddevsys.exe"	246e750d3fcbc7fa2ae488b8a6588980_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

246e750d3fcbc7fa2ae488b8a6588980_NeikiAnalytics.exeecxdob.exexdobloc.exe

pid	process
3588	246e750d3fcbc7fa2ae488b8a6588980_NeikiAnalytics.exe
3588	246e750d3fcbc7fa2ae488b8a6588980_NeikiAnalytics.exe
3588	246e750d3fcbc7fa2ae488b8a6588980_NeikiAnalytics.exe
3588	246e750d3fcbc7fa2ae488b8a6588980_NeikiAnalytics.exe
4716	ecxdob.exe
4716	ecxdob.exe
4060	xdobloc.exe
4060	xdobloc.exe
4716	ecxdob.exe
4716	ecxdob.exe
4060	xdobloc.exe
4060	xdobloc.exe
4716	ecxdob.exe
4716	ecxdob.exe
4060	xdobloc.exe
4060	xdobloc.exe
4716	ecxdob.exe
4716	ecxdob.exe
4060	xdobloc.exe
4060	xdobloc.exe
4716	ecxdob.exe
4716	ecxdob.exe
4060	xdobloc.exe
4060	xdobloc.exe
4716	ecxdob.exe
4716	ecxdob.exe
4060	xdobloc.exe
4060	xdobloc.exe
4716	ecxdob.exe
4716	ecxdob.exe
4060	xdobloc.exe
4060	xdobloc.exe
4716	ecxdob.exe
4716	ecxdob.exe
4060	xdobloc.exe
4060	xdobloc.exe
4716	ecxdob.exe
4716	ecxdob.exe
4060	xdobloc.exe
4060	xdobloc.exe
4716	ecxdob.exe
4716	ecxdob.exe
4060	xdobloc.exe
4060	xdobloc.exe
4716	ecxdob.exe
4716	ecxdob.exe
4060	xdobloc.exe
4060	xdobloc.exe
4716	ecxdob.exe
4716	ecxdob.exe
4060	xdobloc.exe
4060	xdobloc.exe
4716	ecxdob.exe
4716	ecxdob.exe
4060	xdobloc.exe
4060	xdobloc.exe
4716	ecxdob.exe
4716	ecxdob.exe
4060	xdobloc.exe
4060	xdobloc.exe
4716	ecxdob.exe
4716	ecxdob.exe
4060	xdobloc.exe
4060	xdobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

246e750d3fcbc7fa2ae488b8a6588980_NeikiAnalytics.exe

description	pid	process	target process
PID 3588 wrote to memory of 4716	3588	246e750d3fcbc7fa2ae488b8a6588980_NeikiAnalytics.exe	ecxdob.exe
PID 3588 wrote to memory of 4716	3588	246e750d3fcbc7fa2ae488b8a6588980_NeikiAnalytics.exe	ecxdob.exe
PID 3588 wrote to memory of 4716	3588	246e750d3fcbc7fa2ae488b8a6588980_NeikiAnalytics.exe	ecxdob.exe
PID 3588 wrote to memory of 4060	3588	246e750d3fcbc7fa2ae488b8a6588980_NeikiAnalytics.exe	xdobloc.exe
PID 3588 wrote to memory of 4060	3588	246e750d3fcbc7fa2ae488b8a6588980_NeikiAnalytics.exe	xdobloc.exe
PID 3588 wrote to memory of 4060	3588	246e750d3fcbc7fa2ae488b8a6588980_NeikiAnalytics.exe	xdobloc.exe

C:\Users\Admin\AppData\Local\Temp\246e750d3fcbc7fa2ae488b8a6588980_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\246e750d3fcbc7fa2ae488b8a6588980_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3588

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4716

C:\Intelproc8V\xdobloc.exe
C:\Intelproc8V\xdobloc.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc8V\xdobloc.exe

Filesize
4.0MB

MD5
db5806af1d689e7197460a41f2e07995

SHA1
ec401e9160007eaef380b35dbe62ab5b36412978

SHA256
b4bab001467a40f145fef86a4c4ca87c2a1dfcaaba0a632da424e56e6a141827

SHA512
a6d004cb228360027dbe4ac9850a19762010abdba139d77a51b07669b5e4d3db00e6f2257ddcfc6ad9de422465d8f1d389142ca41cf6833d61c0604a858a6c7c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
c401dd39f12e0dd5f1fcc4b541a460f1

SHA1
c5867671cc9743f3d91ed1d5657e9d624193185d

SHA256
63266ecf1b84b45989e784659b8637d7c8cd41f667f21fcba88c3a90f4535b2a

SHA512
79271a47b25a5873384feaa3036970db27df18b34c24e639029b2fff430e8de9b66cba4c9e2ab921267e27eabb780b79589283fed68192ffd758adfab49f47da

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
81ceec67bea390d09a45778c7faa2eac

SHA1
a68569603a5ddb84fe92ae8f6618e4f78c93cb89

SHA256
fc50c9444de720d9e08d1676f242372c58bcd8e5ad8d1a1ba39b2dc05b0690e5

SHA512
f3017d5739e5c66e16827c6da3099f24f448ac99c90381d8f3d06fd50b6b374486039838a796545235190221a41406a9ff736a94425fa47f18b81a8c70e9b07e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
4.0MB

MD5
18999875b6212df01e330136e6544d4e

SHA1
6fb50822bb1542b3466d6f7419ab8b7a47bccb79

SHA256
7be0626850fb9c70f2b6868eb2d7dedd42ce87e1e63fc27a5b10157c8cb8bcf2

SHA512
da69bab7e35a3b56321a8393910dec1cb00d0f361bffe5739a2a717a753e483c651cf8ef022fdf13c4327c583ad9db4aeab5833cbfe2c923fac5fc4e2cacf30b

Download Submit
C:\VidUM\boddevsys.exe

Filesize
4.0MB

MD5
c10ce8cb6899a8fc9df52d2577f6ff12

SHA1
1929895a33429665146bf7596995c9e1937530a6

SHA256
bd32ac752a7a4504cf8279a2da27eae948040d6195a2b5a3fb11c9db23cc793c

SHA512
675997dfad90fa081241d1c7ff380d5bd0dfdf48f4085b61beb4014ad0c116d3533e2a551f5cb1c91bdac7816aef72d8158112830df01e0093448196a163704c

Download Submit
C:\VidUM\boddevsys.exe

Filesize
28KB

MD5
a7d343e61d2f478071acca4d88045f1b

SHA1
361b09214cebfa9dcd17163f016afee18c63ea82

SHA256
c98e0803ae57fbca2bb87a6774daad7af68f3e2d588c67f663cf71ec9baa58b0

SHA512
4ff9907890397f85774ab2edd1cc717159fa59e28d94717f67ec72b29d8c290d5e54e6e7bd1098ecd62fec409abf8f14b0317de184aa2c03c81d99ca41e90d47

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads