46dd076aec1b3d1ce279c406841da457c60b120f93f764d59c4845c994ef2661

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d187aeb81ce2fd93df28663ab36b7d0_NeikiAnalytics.exe
Size

3.6MB
MD5

1d187aeb81ce2fd93df28663ab36b7d0
SHA1

59c223cc77f97d37f98e56cf641b1738dedfefd1
SHA256

46dd076aec1b3d1ce279c406841da457c60b120f93f764d59c4845c994ef2661
SHA512

0bf69503bd3c35901ef685cecde8db55d68d84de206563fa0999856d7e0f11bdd213b582279dedf31b6cdb26057b3d2553f4124832cfd1475924b5fbac462069
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bSqz8:sxX7QnxrloE5dpUpmbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	1d187aeb81ce2fd93df28663ab36b7d0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2540	locdevdob.exe
2292	adobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2976	1d187aeb81ce2fd93df28663ab36b7d0_NeikiAnalytics.exe
2976	1d187aeb81ce2fd93df28663ab36b7d0_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotKA\\adobloc.exe"	1d187aeb81ce2fd93df28663ab36b7d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZJN\\dobaec.exe"	1d187aeb81ce2fd93df28663ab36b7d0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2976	1d187aeb81ce2fd93df28663ab36b7d0_NeikiAnalytics.exe
2976	1d187aeb81ce2fd93df28663ab36b7d0_NeikiAnalytics.exe
2540	locdevdob.exe
2292	adobloc.exe
2540	locdevdob.exe
2292	adobloc.exe
2540	locdevdob.exe
2292	adobloc.exe
2540	locdevdob.exe
2292	adobloc.exe
2540	locdevdob.exe
2292	adobloc.exe
2540	locdevdob.exe
2292	adobloc.exe
2540	locdevdob.exe
2292	adobloc.exe
2540	locdevdob.exe
2292	adobloc.exe
2540	locdevdob.exe
2292	adobloc.exe
2540	locdevdob.exe
2292	adobloc.exe
2540	locdevdob.exe
2292	adobloc.exe
2540	locdevdob.exe
2292	adobloc.exe
2540	locdevdob.exe
2292	adobloc.exe
2540	locdevdob.exe
2292	adobloc.exe
2540	locdevdob.exe
2292	adobloc.exe
2540	locdevdob.exe
2292	adobloc.exe
2540	locdevdob.exe
2292	adobloc.exe
2540	locdevdob.exe
2292	adobloc.exe
2540	locdevdob.exe
2292	adobloc.exe
2540	locdevdob.exe
2292	adobloc.exe
2540	locdevdob.exe
2292	adobloc.exe
2540	locdevdob.exe
2292	adobloc.exe
2540	locdevdob.exe
2292	adobloc.exe
2540	locdevdob.exe
2292	adobloc.exe
2540	locdevdob.exe
2292	adobloc.exe
2540	locdevdob.exe
2292	adobloc.exe
2540	locdevdob.exe
2292	adobloc.exe
2540	locdevdob.exe
2292	adobloc.exe
2540	locdevdob.exe
2292	adobloc.exe
2540	locdevdob.exe
2292	adobloc.exe
2540	locdevdob.exe
2292	adobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2540	2976	1d187aeb81ce2fd93df28663ab36b7d0_NeikiAnalytics.exe	28
PID 2976 wrote to memory of 2540	2976	1d187aeb81ce2fd93df28663ab36b7d0_NeikiAnalytics.exe	28
PID 2976 wrote to memory of 2540	2976	1d187aeb81ce2fd93df28663ab36b7d0_NeikiAnalytics.exe	28
PID 2976 wrote to memory of 2540	2976	1d187aeb81ce2fd93df28663ab36b7d0_NeikiAnalytics.exe	28
PID 2976 wrote to memory of 2292	2976	1d187aeb81ce2fd93df28663ab36b7d0_NeikiAnalytics.exe	29
PID 2976 wrote to memory of 2292	2976	1d187aeb81ce2fd93df28663ab36b7d0_NeikiAnalytics.exe	29
PID 2976 wrote to memory of 2292	2976	1d187aeb81ce2fd93df28663ab36b7d0_NeikiAnalytics.exe	29
PID 2976 wrote to memory of 2292	2976	1d187aeb81ce2fd93df28663ab36b7d0_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\1d187aeb81ce2fd93df28663ab36b7d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1d187aeb81ce2fd93df28663ab36b7d0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2540
- C:\UserDotKA\adobloc.exe
  C:\UserDotKA\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZJN\dobaec.exe

Filesize
1.6MB

MD5
f4c9953475a57f69852518f4202293a9

SHA1
e2bc0cea0f534515b3bd373f4241ccc294191f0d

SHA256
35416fdcfcc0e7e7ab942c1c6e66785d5597f6db24296c602840395b0e7f407b

SHA512
26329a853276f10575d8f8b86bc67de1f2cce819406b986a14b1351b195ac8037bfa62bc15c60cbcbcf2cb7cb6e132eb4b21242009f9212f06fddb92171a7299

Download Submit
C:\LabZJN\dobaec.exe

Filesize
3.6MB

MD5
5f88d9f6e74ebde588a9adb6d61456de

SHA1
03aecf44891056bbc04f8db878c4d98299b437d0

SHA256
3b0c380bb7f2967247151d38ddb3bc733039ff3f5068c823155d94ff93401b20

SHA512
55fddc39c137f2b8c3a1a46f628d0a291c39c09f7ff161b0627d38e522ea72d0807ca4620ee0b45fa7cdc604fc87c73f121a786bbb9e904f6f9502b423e491be

Download Submit
C:\UserDotKA\adobloc.exe

Filesize
3.6MB

MD5
f1a39bef927bd1176ab0e517435616ae

SHA1
08ca48b8420dc8914b80f5a44512d056304fb187

SHA256
26a3dccaaddd24d8e92cbb7f8de50c9c390179809c10634b38f037f4449ea63f

SHA512
a5c5c98bb307daa688dc9c59fe1e877d890ad9fdde93a571ce7a5dbec526bd14425811001dc7ca7bb36da83c8c5cc7eedc286b9c30db4c14e4f076139d590790

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
923cd99fd1bfaa50bb0e7f50215692da

SHA1
5dfea99e0d9f1ef89875c477d7b60683255fd043

SHA256
70caf865985e169bd257e719ba4a6183d63c069b772512a93fddd798305250b0

SHA512
08d5d7a1754b5bbb117532bd3e647e6c4746d3ca0b3df50f7c975de3abd92876d638125de4be59180be04628019ae0cbbc61efd575b0d5a5d31057dd2618b1d2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
e4e60e613c23c0d9856bf61dde318539

SHA1
d8c3427e32d65726842a957ea4d203eb1d17ef9b

SHA256
79db6ff140e69e71cdfd1c7c90f1e0a28796a582cbf2abf698d28c5d15a58742

SHA512
21184f123d027134718ff9fa482e3dd3491f9b3daf5ee41db821c575e859bdba75303cb0071686ee09cc685b7bf0819e17b119351110491d33866133324babca

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
3.6MB

MD5
241db6f938abbc704c0bd563593a9f86

SHA1
e637496d1861ab4ac23cbe940dddacb13603820b

SHA256
24673d0a2833e09ca471e09e2f8a80d640decc3c8044e57909eff2bcb927cd6d

SHA512
21055aea761c673cb83e8f70f00d0ebf625d370c5279318ed187272b4e692a4e629f903ea1fd93ed6180be484e6bec1ed4bca593962f5bda009b9819991e743a

Download Submit