558ad82a6d72ef881da4c00b596fbea5c4ed8906ee479aff259c2239d6afb90e

Analysis

max time kernel
150s
max time network
129s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
31/05/2024, 17:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

275c0950e1acc56b9fb83ab95c33f9f0_NeikiAnalytics.exe
Size

4.1MB
MD5

275c0950e1acc56b9fb83ab95c33f9f0
SHA1

f6e8b07e0c57d1805e4c6fc6c3874b837c81099e
SHA256

558ad82a6d72ef881da4c00b596fbea5c4ed8906ee479aff259c2239d6afb90e
SHA512

c7e2769fc9d27a9482b92e1031281b3a5962cbbbac76d0997cc0772970fd3052b3186775697be5de337137bbf8f659579d05ffa1741f2ccc763dac55ab6a1699
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBhB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpWbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	275c0950e1acc56b9fb83ab95c33f9f0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2940	locadob.exe
2632	adobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2612	275c0950e1acc56b9fb83ab95c33f9f0_NeikiAnalytics.exe
2612	275c0950e1acc56b9fb83ab95c33f9f0_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeNA\\adobec.exe"	275c0950e1acc56b9fb83ab95c33f9f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintVZ\\optixsys.exe"	275c0950e1acc56b9fb83ab95c33f9f0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2612	275c0950e1acc56b9fb83ab95c33f9f0_NeikiAnalytics.exe
2612	275c0950e1acc56b9fb83ab95c33f9f0_NeikiAnalytics.exe
2940	locadob.exe
2632	adobec.exe
2940	locadob.exe
2632	adobec.exe
2940	locadob.exe
2632	adobec.exe
2940	locadob.exe
2632	adobec.exe
2940	locadob.exe
2632	adobec.exe
2940	locadob.exe
2632	adobec.exe
2940	locadob.exe
2632	adobec.exe
2940	locadob.exe
2632	adobec.exe
2940	locadob.exe
2632	adobec.exe
2940	locadob.exe
2632	adobec.exe
2940	locadob.exe
2632	adobec.exe
2940	locadob.exe
2632	adobec.exe
2940	locadob.exe
2632	adobec.exe
2940	locadob.exe
2632	adobec.exe
2940	locadob.exe
2632	adobec.exe
2940	locadob.exe
2632	adobec.exe
2940	locadob.exe
2632	adobec.exe
2940	locadob.exe
2632	adobec.exe
2940	locadob.exe
2632	adobec.exe
2940	locadob.exe
2632	adobec.exe
2940	locadob.exe
2632	adobec.exe
2940	locadob.exe
2632	adobec.exe
2940	locadob.exe
2632	adobec.exe
2940	locadob.exe
2632	adobec.exe
2940	locadob.exe
2632	adobec.exe
2940	locadob.exe
2632	adobec.exe
2940	locadob.exe
2632	adobec.exe
2940	locadob.exe
2632	adobec.exe
2940	locadob.exe
2632	adobec.exe
2940	locadob.exe
2632	adobec.exe
2940	locadob.exe
2632	adobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 2940	2612	275c0950e1acc56b9fb83ab95c33f9f0_NeikiAnalytics.exe	28
PID 2612 wrote to memory of 2940	2612	275c0950e1acc56b9fb83ab95c33f9f0_NeikiAnalytics.exe	28
PID 2612 wrote to memory of 2940	2612	275c0950e1acc56b9fb83ab95c33f9f0_NeikiAnalytics.exe	28
PID 2612 wrote to memory of 2940	2612	275c0950e1acc56b9fb83ab95c33f9f0_NeikiAnalytics.exe	28
PID 2612 wrote to memory of 2632	2612	275c0950e1acc56b9fb83ab95c33f9f0_NeikiAnalytics.exe	29
PID 2612 wrote to memory of 2632	2612	275c0950e1acc56b9fb83ab95c33f9f0_NeikiAnalytics.exe	29
PID 2612 wrote to memory of 2632	2612	275c0950e1acc56b9fb83ab95c33f9f0_NeikiAnalytics.exe	29
PID 2612 wrote to memory of 2632	2612	275c0950e1acc56b9fb83ab95c33f9f0_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\275c0950e1acc56b9fb83ab95c33f9f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\275c0950e1acc56b9fb83ab95c33f9f0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2940
- C:\AdobeNA\adobec.exe
  C:\AdobeNA\adobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeNA\adobec.exe

Filesize
4.1MB

MD5
b4884ac30fd6da15997086c2ce8747df

SHA1
65075f481c7358d1046d6ff4faf222efecea97f7

SHA256
9c4a69b01106ef9731ced4a10277f9424db23b5042178b1ca5519f79bbce8706

SHA512
219d6c62257f82107f62e229c7990d67d818f9d356a23e11ee907596d5c0333075c5a4a528574c195c620efc3acd02b41aa77b322eec5b4a08f06124d21e9161

Download Submit
C:\MintVZ\optixsys.exe

Filesize
2.8MB

MD5
2065cda89e8f5021e3abbc3e9292959c

SHA1
85b4aeb3d0f8a3809c71839d191909127c5d6bbf

SHA256
e05da32502e09b13b918601fcb0dfe0663262f2a7b642a798950cf79bb16fc14

SHA512
6dc6672f02b2e58a61fbb183a9c16d04888cb51f2027fe632df5dd1d3181803b818bd70b274819fc1453fb6743db35f7262a9a42165ec8f33836ba869e29df09

Download Submit
C:\MintVZ\optixsys.exe

Filesize
4.1MB

MD5
beabedbd6eb067913b7bae265f448250

SHA1
baa3629ebbe4711b91d0d90105e546c1ccc9ab82

SHA256
5a5bc2ca669fd26eded6dd44c5d8ce386b3482cfdd42abc45c4a9c2c8b9b957f

SHA512
459466fc1794bf48e548c067f44398c40cb62d79e9900bf8af49f899eefa76219f55b62f5dad0ea1ac4db89a576ef73f1a559e3a295072ba7d55a13d0c1c3755

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
f7b2a8970869e0ac74c18f70f1d48fcc

SHA1
a793f951aedcbe06b329b251bc0f7a3282bb254c

SHA256
17ebde7fd87ef2bbca936e27346e5678d2cfdc8cf380b0849b273ee28669747f

SHA512
4b523b7c89634ea5fae23bd20d04fcb4c71a1517a37ab75b7a2ce48499fcd00c66f2d1bba142ca74f70f43da5b53d75fa022cefc43d7af5de6521cd0b7051d6e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
cc681edc187cbdff798e3c09e77932c7

SHA1
f4432dfc6caf1607a0ef95f31fb6b97c5de34b92

SHA256
ee8f204c4013aba40f82b7af8b72520391f43dbc18c8d2656b2477c80afb644d

SHA512
432bf7e998d5fd7fa9f1ddb60337e87f8eb27c4d7b13a5d105577b7dafe4ce212b99b1994932ab3e0c9fd318a09d7eb1518e7970f71a793ac6dcc4918f92b619

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
4.1MB

MD5
c81db6b84bbda65dc915a4b183c73fee

SHA1
256969f1ad41edb0ffd04ad1c13ba6bd58fca2ba

SHA256
a2ad74f697472d4b682a821e41936aec9c0db608acb52541b74599a1d18d9d95

SHA512
23a05757c83a27c70844ae349c65ecef57715534ab4e52266d28713da82401c4b823f98c839bb839adf56c3cb0a8f025217badad632107ba4c02ba6ed87c089b

Download Submit