ef2b48ec5628cab7441adda07bbbc64c34655c7bd541c1f98d6d529b10c234b1

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01/06/2024, 11:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e8a84df07ed43f30099fe2b3b8b730d0_NeikiAnalytics.exe
Size

2.6MB
MD5

e8a84df07ed43f30099fe2b3b8b730d0
SHA1

1618147da7703b0f891e8230701804953e0387d2
SHA256

ef2b48ec5628cab7441adda07bbbc64c34655c7bd541c1f98d6d529b10c234b1
SHA512

84c9db0fdc71f38b0eba6c71dce54edbb43cdc304cb892f36ea53b7cb8ffe66178a667f76e154e5a52d36ecf90de514569de087877f11ceb8f8b7177f7e5f1c6
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB6B/bS:sxX7QnxrloE5dpUptb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe	e8a84df07ed43f30099fe2b3b8b730d0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2352	ecadob.exe
2236	adobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2300	e8a84df07ed43f30099fe2b3b8b730d0_NeikiAnalytics.exe
2300	e8a84df07ed43f30099fe2b3b8b730d0_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesYW\\adobec.exe"	e8a84df07ed43f30099fe2b3b8b730d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBUB\\dobaloc.exe"	e8a84df07ed43f30099fe2b3b8b730d0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2300	e8a84df07ed43f30099fe2b3b8b730d0_NeikiAnalytics.exe
2300	e8a84df07ed43f30099fe2b3b8b730d0_NeikiAnalytics.exe
2352	ecadob.exe
2236	adobec.exe
2352	ecadob.exe
2236	adobec.exe
2352	ecadob.exe
2236	adobec.exe
2352	ecadob.exe
2236	adobec.exe
2352	ecadob.exe
2236	adobec.exe
2352	ecadob.exe
2236	adobec.exe
2352	ecadob.exe
2236	adobec.exe
2352	ecadob.exe
2236	adobec.exe
2352	ecadob.exe
2236	adobec.exe
2352	ecadob.exe
2236	adobec.exe
2352	ecadob.exe
2236	adobec.exe
2352	ecadob.exe
2236	adobec.exe
2352	ecadob.exe
2236	adobec.exe
2352	ecadob.exe
2236	adobec.exe
2352	ecadob.exe
2236	adobec.exe
2352	ecadob.exe
2236	adobec.exe
2352	ecadob.exe
2236	adobec.exe
2352	ecadob.exe
2236	adobec.exe
2352	ecadob.exe
2236	adobec.exe
2352	ecadob.exe
2236	adobec.exe
2352	ecadob.exe
2236	adobec.exe
2352	ecadob.exe
2236	adobec.exe
2352	ecadob.exe
2236	adobec.exe
2352	ecadob.exe
2236	adobec.exe
2352	ecadob.exe
2236	adobec.exe
2352	ecadob.exe
2236	adobec.exe
2352	ecadob.exe
2236	adobec.exe
2352	ecadob.exe
2236	adobec.exe
2352	ecadob.exe
2236	adobec.exe
2352	ecadob.exe
2236	adobec.exe
2352	ecadob.exe
2236	adobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2352	2300	e8a84df07ed43f30099fe2b3b8b730d0_NeikiAnalytics.exe	28
PID 2300 wrote to memory of 2352	2300	e8a84df07ed43f30099fe2b3b8b730d0_NeikiAnalytics.exe	28
PID 2300 wrote to memory of 2352	2300	e8a84df07ed43f30099fe2b3b8b730d0_NeikiAnalytics.exe	28
PID 2300 wrote to memory of 2352	2300	e8a84df07ed43f30099fe2b3b8b730d0_NeikiAnalytics.exe	28
PID 2300 wrote to memory of 2236	2300	e8a84df07ed43f30099fe2b3b8b730d0_NeikiAnalytics.exe	29
PID 2300 wrote to memory of 2236	2300	e8a84df07ed43f30099fe2b3b8b730d0_NeikiAnalytics.exe	29
PID 2300 wrote to memory of 2236	2300	e8a84df07ed43f30099fe2b3b8b730d0_NeikiAnalytics.exe	29
PID 2300 wrote to memory of 2236	2300	e8a84df07ed43f30099fe2b3b8b730d0_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\e8a84df07ed43f30099fe2b3b8b730d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e8a84df07ed43f30099fe2b3b8b730d0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2352
- C:\FilesYW\adobec.exe
  C:\FilesYW\adobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesYW\adobec.exe

Filesize
2.6MB

MD5
01f440e9d808d7cf19d1c0cdf6972d06

SHA1
b3b550a3392e9f7d471059dbd780735f568fb2f6

SHA256
5e5c37cb17a53b1e96470a8183559ab36829bd0e623a138dac6e94270a3905f8

SHA512
cbcd9300defd14a7a9c2c70121d322850024274b99ed912553a4bec29792882db3655b327a950b9c00bdfbc03223e9b3c0efe37aaf4a5f7caa1b1a55e4d4e135

Download Submit
C:\KaVBUB\dobaloc.exe

Filesize
2.6MB

MD5
70ebff0b41fa383a939d3463f1f12588

SHA1
70d73ef49ff2f35896ac9402200bf062fc5b76f2

SHA256
45555123d934c146108d83c1e23d2733238756fe2fd72f7d5fbf5dff1ffe47c0

SHA512
f150991f8b3c61a3cb358ae7eb4c5f8bdebb7e490255f26b78efdfbd429ef7e0d17155319c2019965c51368b65457f70d9bbb34d3695ced55fbda235e6cd44eb

Download Submit
C:\KaVBUB\dobaloc.exe

Filesize
108KB

MD5
194d6a8580113088ee1cb16ce995b7eb

SHA1
82be3c34f30529bdf2e6b39f0c449d1962a96e53

SHA256
4468ab84670d2d1f1ef1345571ca92da2eccb7e97b84fbf6eba1fe50f5b8174d

SHA512
17a671fc890ce788cf6326eca6d2c6134cdfef5342edb6d44b21d1061f179172855d2fb3c96795e8995d482391519bd1edf26eb5cbefdca064cce1a39ab94edd

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
166B

MD5
505b662a9d51f540758a54c68bcfc625

SHA1
8eb7d9753c3528ece56dffb0ec95d99a3a608625

SHA256
23a4d703dc81b58a22725d4945fc1490ccaf1db512f2afb2f46889278687a9ac

SHA512
5f371b1c87a8540b5edb9e238536270013b6c1b842eae52260aa867c113aae558d9b5f24f92db7db25d8dd0af063d258152462b2b4a060f8b0e1e4da96afe801

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
198B

MD5
639da428ca18231cdd6bce647ac7a885

SHA1
45e12ee9fce97fe8849fb36a4d1498d9d776c2ec

SHA256
029475a0cece64b141b00761634baacf379c72b7f4be3a25159e3459e3dd2f7a

SHA512
2292df691b7d9035dda587a7eabfb80c8b25ffa165a1c552f82a62a0abb52debc3ddc73ee7420b0f3cb14c5fbf10616f6a728bca6e2782ebeee444427459d08b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

Filesize
2.6MB

MD5
d22695445c8bc03ae234c399c0d4a6a9

SHA1
d5f5b8bbaa3156c57357bb510d81d521e98cb49f

SHA256
e8ea8786137831c9fe60383747d0dc3bded2da1bba293c9107dce85843aaec97

SHA512
163a746e14988165a0def87c6b92086ff7e317709ca6a1bd87703d952c3a679ae9c8334ff0a26bff56d8d3ac2c7e2ee53c7828a6dabd9abdc7fb035bf9fb99b7

Download Submit