2e28e8a244430d0dc9fc788a405bf044a4a6fd8ebefcf6ba9c78bd15e1001fcf

General

Target

231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe
Size

3.6MB
MD5

231feec23bee69ca907eee006c410a10
SHA1

d31baf06e944e455ffb311e8200721621ec11dad
SHA256

2e28e8a244430d0dc9fc788a405bf044a4a6fd8ebefcf6ba9c78bd15e1001fcf
SHA512

9b182b1fbe428a6806418071b913d83469ef3f978eef19f1f765a30e04bfa88312e5a17ba703d932e4bc19bc65ce053778e3917549b68ff4d625cfef54d9abf1
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bSqz8:sxX7QnxrloE5dpUp1bVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

Processes:

locadob.exedevdobec.exe

pid process

3672 locadob.exe
4728 devdobec.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3672	locadob.exe
4728	devdobec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocN4\\devdobec.exe"	231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintBU\\dobxsys.exe"	231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

231feec23bee69ca907eee006c410a10_NeikiAnalytics.exelocadob.exedevdobec.exe

pid	process
4436	231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe
4436	231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe
4436	231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe
4436	231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe
3672	locadob.exe
3672	locadob.exe
4728	devdobec.exe
4728	devdobec.exe
3672	locadob.exe
3672	locadob.exe
4728	devdobec.exe
4728	devdobec.exe
3672	locadob.exe
3672	locadob.exe
4728	devdobec.exe
4728	devdobec.exe
3672	locadob.exe
3672	locadob.exe
4728	devdobec.exe
4728	devdobec.exe
3672	locadob.exe
3672	locadob.exe
4728	devdobec.exe
4728	devdobec.exe
3672	locadob.exe
3672	locadob.exe
4728	devdobec.exe
4728	devdobec.exe
3672	locadob.exe
3672	locadob.exe
4728	devdobec.exe
4728	devdobec.exe
3672	locadob.exe
3672	locadob.exe
4728	devdobec.exe
4728	devdobec.exe
3672	locadob.exe
3672	locadob.exe
4728	devdobec.exe
4728	devdobec.exe
3672	locadob.exe
3672	locadob.exe
4728	devdobec.exe
4728	devdobec.exe
3672	locadob.exe
3672	locadob.exe
4728	devdobec.exe
4728	devdobec.exe
3672	locadob.exe
3672	locadob.exe
4728	devdobec.exe
4728	devdobec.exe
3672	locadob.exe
3672	locadob.exe
4728	devdobec.exe
4728	devdobec.exe
3672	locadob.exe
3672	locadob.exe
4728	devdobec.exe
4728	devdobec.exe
3672	locadob.exe
3672	locadob.exe
4728	devdobec.exe
4728	devdobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe

description	pid	process	target process
PID 4436 wrote to memory of 3672	4436	231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe	locadob.exe
PID 4436 wrote to memory of 3672	4436	231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe	locadob.exe
PID 4436 wrote to memory of 3672	4436	231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe	locadob.exe
PID 4436 wrote to memory of 4728	4436	231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe	devdobec.exe
PID 4436 wrote to memory of 4728	4436	231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe	devdobec.exe
PID 4436 wrote to memory of 4728	4436	231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe	devdobec.exe

C:\Users\Admin\AppData\Local\Temp\231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4436

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3672

C:\IntelprocN4\devdobec.exe
C:\IntelprocN4\devdobec.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4728

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocN4\devdobec.exe
Filesize
3.6MB

MD5
54b9229a5f03e6508301a367fb5382b0

SHA1
ffa9d2c4d974b61eb8659540142c235388106e66

SHA256
0773464dcf904d504eadd607f7d448beff2f4e9be3062a0a74c68fc1b49dc394

SHA512
197f86c090f5ffee556d45b8db4d3033ef62987c1a893783d1ca78260177c49b6bca7908c74e892636bcfea33b25877e9062a0d1616d3aaf46a1384a11b04bfc

Download Submit
C:\MintBU\dobxsys.exe
Filesize
1.8MB

MD5
900a6c5d862aa0ca30a362086982802b

SHA1
04f57220447169dab5f7a9a504314a6809b43e8c

SHA256
1f5012a4b6995836b76d30921198aece344b919222fd2a9c345ef2d8d1927200

SHA512
682090b55682557a9b70abd745bda16f91916adb06537ec65b84c0256e803f0727090583200217ce0b4aff401cd45e03494952e653a9b3897efcc5798448bcce

Download Submit
C:\MintBU\dobxsys.exe
Filesize
3.6MB

MD5
7bb7541600b73143eceac69b718339dc

SHA1
5e9cbe96cd6e11bdc6494ab5b9b18217fef8a9ce

SHA256
cd5c42bdbf1a1cc9e6d7c464661b274d658f98d10a71de6b3e778aa2808fcebf

SHA512
c886696296b5002ba049f88b6f71d8bcb02331b1c77382b1e69c3cd207988a5dde7696a6463175b8795bcfd93556d8392079e4c4d86c5cb9cfd5ebebfb218d78

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
205B

MD5
d561b8f25a5ec0e6145179ed165a7b0a

SHA1
a3a3d33eae192f281f2b59a37a5d87fa8eb14a30

SHA256
475d42901e569233a2c3e0204d46753f989717493d87f2ef22ba964cad36b3a5

SHA512
ffd7bfed3a0b2a91e41437095e3fa9748f3f155a2ca1d9498913f83076f727e257ffcecadf589e8126b26f3d298163b8db359547ab2d54f1cfa3c1ccd411a601

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
173B

MD5
fad1bf64fabc5717ba4cc4965e1e72d0

SHA1
95575a10464b66736604ae3f4a5ace7ec79f911a

SHA256
f611a78dd1f95ba2cd5ee41e23e8ccd3aaf36b4b59638241b387129ea15bb106

SHA512
15b1639fd472bc5b63c2b0c56c42a0acc94f4efbafd83e4c0148b1b782d590a1d7292ace4e714f7ba2c4b818e0b00a33fea665dd0b4f1e7cb0bb5bb5986156a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
Filesize
3.6MB

MD5
cc2f99c01a8a5a15cd8dfafee50e004b

SHA1
50e4cdb8d81bcc91062c7f8d7e9a6cd42ccd4fb9

SHA256
7bd1b99a8e4e2e297b357bff07816283a23a557b0016b24a68886e814fd6d99b

SHA512
bac8a6c20abedf3962ef9ecd51418df3203f6ead835a729b4a7cf56221f4bede446cdabde3925ba58135b863f21b233c1761faea83815d0af5b8bc17a5fa852f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads