290097f00700f15381d0ff3e19a2be3ac04dc15b7715856a7a2a20acf1989e5a

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28/05/2024, 21:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

086f1a69dbf5f5ba8c63737cc22ff100_NeikiAnalytics.exe
Size

2.8MB
MD5

086f1a69dbf5f5ba8c63737cc22ff100
SHA1

973c15bdf3fb8275dd08829858ce87b6df75fa12
SHA256

290097f00700f15381d0ff3e19a2be3ac04dc15b7715856a7a2a20acf1989e5a
SHA512

fb4f7a533af342b952326ca26e880803a4b9637c7aa422f3367c34fbf498a7c4e78314f8f37f9f42aeb1e244ba3f74a8c65a321ec2784b5658cd00e77c30dc29
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bSqz8:sxX7QnxrloE5dpUpfbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe	086f1a69dbf5f5ba8c63737cc22ff100_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1804	ecadob.exe
2152	adobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2036	086f1a69dbf5f5ba8c63737cc22ff100_NeikiAnalytics.exe
2036	086f1a69dbf5f5ba8c63737cc22ff100_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocKV\\adobsys.exe"	086f1a69dbf5f5ba8c63737cc22ff100_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZWX\\bodxec.exe"	086f1a69dbf5f5ba8c63737cc22ff100_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2036	086f1a69dbf5f5ba8c63737cc22ff100_NeikiAnalytics.exe
2036	086f1a69dbf5f5ba8c63737cc22ff100_NeikiAnalytics.exe
1804	ecadob.exe
2152	adobsys.exe
1804	ecadob.exe
2152	adobsys.exe
1804	ecadob.exe
2152	adobsys.exe
1804	ecadob.exe
2152	adobsys.exe
1804	ecadob.exe
2152	adobsys.exe
1804	ecadob.exe
2152	adobsys.exe
1804	ecadob.exe
2152	adobsys.exe
1804	ecadob.exe
2152	adobsys.exe
1804	ecadob.exe
2152	adobsys.exe
1804	ecadob.exe
2152	adobsys.exe
1804	ecadob.exe
2152	adobsys.exe
1804	ecadob.exe
2152	adobsys.exe
1804	ecadob.exe
2152	adobsys.exe
1804	ecadob.exe
2152	adobsys.exe
1804	ecadob.exe
2152	adobsys.exe
1804	ecadob.exe
2152	adobsys.exe
1804	ecadob.exe
2152	adobsys.exe
1804	ecadob.exe
2152	adobsys.exe
1804	ecadob.exe
2152	adobsys.exe
1804	ecadob.exe
2152	adobsys.exe
1804	ecadob.exe
2152	adobsys.exe
1804	ecadob.exe
2152	adobsys.exe
1804	ecadob.exe
2152	adobsys.exe
1804	ecadob.exe
2152	adobsys.exe
1804	ecadob.exe
2152	adobsys.exe
1804	ecadob.exe
2152	adobsys.exe
1804	ecadob.exe
2152	adobsys.exe
1804	ecadob.exe
2152	adobsys.exe
1804	ecadob.exe
2152	adobsys.exe
1804	ecadob.exe
2152	adobsys.exe
1804	ecadob.exe
2152	adobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1804	2036	086f1a69dbf5f5ba8c63737cc22ff100_NeikiAnalytics.exe	28
PID 2036 wrote to memory of 1804	2036	086f1a69dbf5f5ba8c63737cc22ff100_NeikiAnalytics.exe	28
PID 2036 wrote to memory of 1804	2036	086f1a69dbf5f5ba8c63737cc22ff100_NeikiAnalytics.exe	28
PID 2036 wrote to memory of 1804	2036	086f1a69dbf5f5ba8c63737cc22ff100_NeikiAnalytics.exe	28
PID 2036 wrote to memory of 2152	2036	086f1a69dbf5f5ba8c63737cc22ff100_NeikiAnalytics.exe	29
PID 2036 wrote to memory of 2152	2036	086f1a69dbf5f5ba8c63737cc22ff100_NeikiAnalytics.exe	29
PID 2036 wrote to memory of 2152	2036	086f1a69dbf5f5ba8c63737cc22ff100_NeikiAnalytics.exe	29
PID 2036 wrote to memory of 2152	2036	086f1a69dbf5f5ba8c63737cc22ff100_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\086f1a69dbf5f5ba8c63737cc22ff100_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\086f1a69dbf5f5ba8c63737cc22ff100_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1804
- C:\IntelprocKV\adobsys.exe
  C:\IntelprocKV\adobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocKV\adobsys.exe

Filesize
2.8MB

MD5
ff98f3cb77fc5309ff087b6330bda29a

SHA1
73e20fd1fe311b64e86fdd40edf9c7a0467e89a1

SHA256
64ee857a4391d75b565128c458f31c91025ce268a49b57c38fec5e79b23d7d51

SHA512
919218b6ff0dd8cbeb5f81e6331645b30fb864b7f3aae9a1e61f42d5b048382804dfb4f07f88eb121a6926a8b267fd9ca6957dcdada75b03bdfc5e8968c9cb05

Download Submit
C:\LabZWX\bodxec.exe

Filesize
2.8MB

MD5
c9fe6db8c2bc58d370abcfeae13c1d2c

SHA1
bcfd7ae468ade4ab588e3816be0f5cbaeab6bd3b

SHA256
cc130a67bb1347ba102d427f0f45adddd1d9cd69b334fb370cae0ec80ce90da9

SHA512
cb11e7b8a435aaf9631c86b4a275e928e96c544e42a8a348275e3a28829aa04244e70e40d1c6f7eb1e5c80f10b10d041d05e33cf262040f00d3bbd6ea782e58e

Download Submit
C:\LabZWX\bodxec.exe

Filesize
2.8MB

MD5
275d4681ef0674fb3d903f766e7c1436

SHA1
b9e23ebdd7da6cc5c4d0bb61c736ecfb0723443f

SHA256
d40f98d9617f99af764232c3d22c096978ae8000a41be6985af286035fc4aeb2

SHA512
f9674f7745a2f50158e55415100c86242d163cf106247e8cb220e5c238ed32985956393d3d7d6a6b9b64f17b7a79f0885e8e2cb8a49c30767b5079eacd233409

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
8f6864418f658fae81cce527759f1822

SHA1
204d977a919ada586f73bf967ed3e9fe71ecf771

SHA256
0a2a5b58a1c7546ed2f7e56836f009722c69381f6880f870c981678bc1216745

SHA512
2bf09e75dd664ad8cc0a29d4633b12d6420695dc8f87b6d51830fa33a83df32250ae9ebbad4b070494d59350a7ceea95df0cc85531387fca8cbbfe195fd1bb1c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
1813a50d892e654a1dedfd57052bff60

SHA1
49c25f2a28f6e76313f347423c624289b9cd2115

SHA256
f10849af90597a13971ec7f7818692621e06472e3efea548e638c67aab68968f

SHA512
a440c021d15e912ba6012440c8f5b8ec6058dcfa23ed33dbde6ff29200ef72bd64e41daf59d526c6e3464f59612f9f6352de7c19bc8e8cc2476c9b813aec2859

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

Filesize
2.8MB

MD5
aa454eb2877f6a9692f5acebf5ea1518

SHA1
443f80e768e09b3388c2055ff626d72e355bc3ad

SHA256
423e66ae88bb5d29ea4840a5d27fea7232d31ad9d4ae02c626d2484cc5c3974d

SHA512
37544f41ed15d5deec2f1712edfa01cb278a87edabfd4596b3d7d4a5047482975c18fc793321c0420cfed33596d0c0753cd03e9a33a0db0b9796a9512e8795c0

Download Submit