3eaf0964e9ddb08356e0ee67159f2e6cff263f2c28d68329801306f1248dbce5

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
27/05/2024, 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1450d8e11e4e7bc7e3b0a789fd728ec0_NeikiAnalytics.exe
Size

3.9MB
MD5

1450d8e11e4e7bc7e3b0a789fd728ec0
SHA1

999cd3056be4dd7add9a8af5dba6499128f26df2
SHA256

3eaf0964e9ddb08356e0ee67159f2e6cff263f2c28d68329801306f1248dbce5
SHA512

3bb74f803537fe99f7a0ef91f5df206e84a05577f791ff1e91b1ef1bcac1d9e031b9beb963a73143885bed82b605c61e49f0d4270b205bc31799bf8cd0617e39
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpPbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	1450d8e11e4e7bc7e3b0a789fd728ec0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2864	sysdevdob.exe
2172	devdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2388	1450d8e11e4e7bc7e3b0a789fd728ec0_NeikiAnalytics.exe
2388	1450d8e11e4e7bc7e3b0a789fd728ec0_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeAW\\devdobec.exe"	1450d8e11e4e7bc7e3b0a789fd728ec0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZUL\\optidevsys.exe"	1450d8e11e4e7bc7e3b0a789fd728ec0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2388	1450d8e11e4e7bc7e3b0a789fd728ec0_NeikiAnalytics.exe
2388	1450d8e11e4e7bc7e3b0a789fd728ec0_NeikiAnalytics.exe
2864	sysdevdob.exe
2172	devdobec.exe
2864	sysdevdob.exe
2172	devdobec.exe
2864	sysdevdob.exe
2172	devdobec.exe
2864	sysdevdob.exe
2172	devdobec.exe
2864	sysdevdob.exe
2172	devdobec.exe
2864	sysdevdob.exe
2172	devdobec.exe
2864	sysdevdob.exe
2172	devdobec.exe
2864	sysdevdob.exe
2172	devdobec.exe
2864	sysdevdob.exe
2172	devdobec.exe
2864	sysdevdob.exe
2172	devdobec.exe
2864	sysdevdob.exe
2172	devdobec.exe
2864	sysdevdob.exe
2172	devdobec.exe
2864	sysdevdob.exe
2172	devdobec.exe
2864	sysdevdob.exe
2172	devdobec.exe
2864	sysdevdob.exe
2172	devdobec.exe
2864	sysdevdob.exe
2172	devdobec.exe
2864	sysdevdob.exe
2172	devdobec.exe
2864	sysdevdob.exe
2172	devdobec.exe
2864	sysdevdob.exe
2172	devdobec.exe
2864	sysdevdob.exe
2172	devdobec.exe
2864	sysdevdob.exe
2172	devdobec.exe
2864	sysdevdob.exe
2172	devdobec.exe
2864	sysdevdob.exe
2172	devdobec.exe
2864	sysdevdob.exe
2172	devdobec.exe
2864	sysdevdob.exe
2172	devdobec.exe
2864	sysdevdob.exe
2172	devdobec.exe
2864	sysdevdob.exe
2172	devdobec.exe
2864	sysdevdob.exe
2172	devdobec.exe
2864	sysdevdob.exe
2172	devdobec.exe
2864	sysdevdob.exe
2172	devdobec.exe
2864	sysdevdob.exe
2172	devdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2864	2388	1450d8e11e4e7bc7e3b0a789fd728ec0_NeikiAnalytics.exe	28
PID 2388 wrote to memory of 2864	2388	1450d8e11e4e7bc7e3b0a789fd728ec0_NeikiAnalytics.exe	28
PID 2388 wrote to memory of 2864	2388	1450d8e11e4e7bc7e3b0a789fd728ec0_NeikiAnalytics.exe	28
PID 2388 wrote to memory of 2864	2388	1450d8e11e4e7bc7e3b0a789fd728ec0_NeikiAnalytics.exe	28
PID 2388 wrote to memory of 2172	2388	1450d8e11e4e7bc7e3b0a789fd728ec0_NeikiAnalytics.exe	29
PID 2388 wrote to memory of 2172	2388	1450d8e11e4e7bc7e3b0a789fd728ec0_NeikiAnalytics.exe	29
PID 2388 wrote to memory of 2172	2388	1450d8e11e4e7bc7e3b0a789fd728ec0_NeikiAnalytics.exe	29
PID 2388 wrote to memory of 2172	2388	1450d8e11e4e7bc7e3b0a789fd728ec0_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\1450d8e11e4e7bc7e3b0a789fd728ec0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1450d8e11e4e7bc7e3b0a789fd728ec0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2864
- C:\AdobeAW\devdobec.exe
  C:\AdobeAW\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeAW\devdobec.exe

Filesize
3.9MB

MD5
196849cbb42cbf0785b2c077ce5ef4b9

SHA1
7920372d02c9ba0e376ca2c4fbf3f227e59e7946

SHA256
96a969903468967656428e76c1c9d5c1ce89254ae05e7b228514498fc120d96f

SHA512
3119e307bef7d325d1afb2dcde5c87ca858d28205f65b8c1e9a7f46224628d9686d18fa065a90e621c24b25bf6dd64cdc5b331fd90479afbdece828ca464ab9e

Download Submit
C:\LabZUL\optidevsys.exe

Filesize
3.9MB

MD5
f20932c21953aca900ec540d2c67b09b

SHA1
afed831380263d62b96bc776d22dbedeea4bbbec

SHA256
ceaa76690605c3e4c3f23d5cd13955e7bf0d08981b76f0b20884df9e6ff0efbb

SHA512
2bd8ab75230289787412b7a7e18db4a0c8181f7de33641c2f0d67cb004005e3ea98bb6a0048fbd714106a19569c850bd13466b3b45bdaef8cf69eec674c461e3

Download Submit
C:\LabZUL\optidevsys.exe

Filesize
423KB

MD5
e9fbd95acac41f311feecf5c4b7b8938

SHA1
2a222abe79fd5ed42b205c639af47c862b366741

SHA256
5c0491969f4db9381228e9fa2b1c43d11500acbb425354ac161636e3ac1db8bf

SHA512
c35a26a056bf624f7f10e279139dbc6edb0ee3476765bf2f5a27d1a7ba0ee6583b4412a77e18bb4b8b75107e618efd0e6f27d549f4eff84ca861cc3b66a6875e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
822dfdb664b7644d0365f1f66896ca71

SHA1
78d330e9231b530d55e2bb04410a7d50be05011a

SHA256
af821eac6cea4584e54907441ef80749a665aebceadf6a730cebb68fe45d6f09

SHA512
faca0b4bc07d8d8d11c1ac1c8c0fd294019770a0d1c189f0b141090fed5a0c0a1849d488caebd579ab498aded22921d00ae7e7ffc26362a42cd1fcc7fee74918

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
7d4bd4c8d7823dba3c7142edb61466b6

SHA1
cf18191beb4279a4e1461bb1b9ee0f020e28a4ea

SHA256
27830926ef19049310d14bb39760431917049e8ff8ea08520acaa8e563a3186d

SHA512
a5444430980201ffdbc4932075e03f7c09b5b14aff87663737312c4fb649923b83ece19d3f2c5a1657b7a72683907e6c1a392593f291fccefd043a6b33d8a5f5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
3.9MB

MD5
790e527d1d64b94d42257f724ed89c3b

SHA1
1af9b5b635ea0c8151e3ed4db8db593342ac8ea6

SHA256
03dc843411bf06c57f127a3fccb2415a3b7963d3aafd1fa7ad85754cea16d26f

SHA512
8730846fef69f0a8749cece104b79e432fec8b47b4a6b32742db3aebe617a3b01e9a24ff68adcf21f2696003541e17bda24ab275b11126da131368d99643196d

Download Submit