55d6b5084d2ff061e3f105c17031459105a6c320bd39b127ee76a7d5396c286c

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
02/06/2024, 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68485cdd45c7606f9a95dfd2c1104480_NeikiAnalytics.exe
Size

3.6MB
MD5

68485cdd45c7606f9a95dfd2c1104480
SHA1

f03fd91c0dad2534b4eb95b06172bb085f11b182
SHA256

55d6b5084d2ff061e3f105c17031459105a6c320bd39b127ee76a7d5396c286c
SHA512

ac0c3c61050596408cbd9bf4d501e71823cbe9922fa592a26dcdeb5eb00a4e69ffdf045d5cca4d01e00aa1ae8c399634a8c1f03774e07581b583cb5f8d2886ad
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSqz8:sxX7QnxrloE5dpUp4bVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	68485cdd45c7606f9a95dfd2c1104480_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1712	sysdevdob.exe
2560	adobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2404	68485cdd45c7606f9a95dfd2c1104480_NeikiAnalytics.exe
2404	68485cdd45c7606f9a95dfd2c1104480_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZYV\\dobxec.exe"	68485cdd45c7606f9a95dfd2c1104480_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesCC\\adobec.exe"	68485cdd45c7606f9a95dfd2c1104480_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2404	68485cdd45c7606f9a95dfd2c1104480_NeikiAnalytics.exe
2404	68485cdd45c7606f9a95dfd2c1104480_NeikiAnalytics.exe
1712	sysdevdob.exe
2560	adobec.exe
1712	sysdevdob.exe
2560	adobec.exe
1712	sysdevdob.exe
2560	adobec.exe
1712	sysdevdob.exe
2560	adobec.exe
1712	sysdevdob.exe
2560	adobec.exe
1712	sysdevdob.exe
2560	adobec.exe
1712	sysdevdob.exe
2560	adobec.exe
1712	sysdevdob.exe
2560	adobec.exe
1712	sysdevdob.exe
2560	adobec.exe
1712	sysdevdob.exe
2560	adobec.exe
1712	sysdevdob.exe
2560	adobec.exe
1712	sysdevdob.exe
2560	adobec.exe
1712	sysdevdob.exe
2560	adobec.exe
1712	sysdevdob.exe
2560	adobec.exe
1712	sysdevdob.exe
2560	adobec.exe
1712	sysdevdob.exe
2560	adobec.exe
1712	sysdevdob.exe
2560	adobec.exe
1712	sysdevdob.exe
2560	adobec.exe
1712	sysdevdob.exe
2560	adobec.exe
1712	sysdevdob.exe
2560	adobec.exe
1712	sysdevdob.exe
2560	adobec.exe
1712	sysdevdob.exe
2560	adobec.exe
1712	sysdevdob.exe
2560	adobec.exe
1712	sysdevdob.exe
2560	adobec.exe
1712	sysdevdob.exe
2560	adobec.exe
1712	sysdevdob.exe
2560	adobec.exe
1712	sysdevdob.exe
2560	adobec.exe
1712	sysdevdob.exe
2560	adobec.exe
1712	sysdevdob.exe
2560	adobec.exe
1712	sysdevdob.exe
2560	adobec.exe
1712	sysdevdob.exe
2560	adobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 1712	2404	68485cdd45c7606f9a95dfd2c1104480_NeikiAnalytics.exe	28
PID 2404 wrote to memory of 1712	2404	68485cdd45c7606f9a95dfd2c1104480_NeikiAnalytics.exe	28
PID 2404 wrote to memory of 1712	2404	68485cdd45c7606f9a95dfd2c1104480_NeikiAnalytics.exe	28
PID 2404 wrote to memory of 1712	2404	68485cdd45c7606f9a95dfd2c1104480_NeikiAnalytics.exe	28
PID 2404 wrote to memory of 2560	2404	68485cdd45c7606f9a95dfd2c1104480_NeikiAnalytics.exe	29
PID 2404 wrote to memory of 2560	2404	68485cdd45c7606f9a95dfd2c1104480_NeikiAnalytics.exe	29
PID 2404 wrote to memory of 2560	2404	68485cdd45c7606f9a95dfd2c1104480_NeikiAnalytics.exe	29
PID 2404 wrote to memory of 2560	2404	68485cdd45c7606f9a95dfd2c1104480_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\68485cdd45c7606f9a95dfd2c1104480_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\68485cdd45c7606f9a95dfd2c1104480_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1712
- C:\FilesCC\adobec.exe
  C:\FilesCC\adobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesCC\adobec.exe

Filesize
3.6MB

MD5
0a27d8102a4c8d931888cb6b638d6cd0

SHA1
290200e901ee5d4009877f5f317250592f4601e1

SHA256
8c48c89a3ef12288d94fe7022c1f413c85c8e027c4d7fa6c16b14c51bb8882b1

SHA512
328b5402b9c66a31b403f1bea59c11ef7ab303c3db32c06bc95707bcd58688b4afb8808526ac6b50362f1f1cb5e3ca479f03302fe72f8956232159a619434b00

Download Submit
C:\LabZYV\dobxec.exe

Filesize
3.6MB

MD5
3659a7983cba18889f74638770925e33

SHA1
ebbdf7933a13f4f76226911b22c33019de16bb11

SHA256
b4933b97b29275f35dace2ebf8daca7d23c6817c9260630cec230ff3e393b71c

SHA512
faf0e504b514f19b82cbedfe4782aadba8c075360d24bd016effd2ecb97fc6523076a943a323421159bcbf3486a856298e0c4b5320cb1343fc3c52166db59c58

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
f1fb2ae8d7adb602fb5467df02fff3f5

SHA1
9960171b859421ab23700bf83c4184876126eb54

SHA256
da0121c9ac423e29ae3ffca605c8848c12bb0153f8daf21a26b25a1a14512a57

SHA512
0bf5b29063c9dc5a3ce53420d5b5a29e2bb7dbf6657cbb66a9bca6d770409479b949c0c6d33dabe801d966c14b3bd158446a10ef1199f96be1cb930c17f981f7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
5bfed478655f85b8e97d134b0b6d95dc

SHA1
cf7c2f509c9ab1130efd97c37639f0490b817de0

SHA256
81902ef4c702252e6efade345803515d16697202bb2ff8a23de9be7684f5f014

SHA512
13aa9be177830f2872e6d69b68bbb019b375500932c576da931443fbcfc1836bbb124f1d88677e91e1adb5a36788435be0a8f2be7c5ec1175a7baeb5f45e61f8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
3.6MB

MD5
ab90aa89c5da4045cf64348e8f428d08

SHA1
75e979272c4d5a7adac59a52012f20d7d4d569b6

SHA256
24a70b17b75b276584f085dd7b11b5d88ac4b7b9bced400d3ec5367d4e372c15

SHA512
af011373e30b2921a6eb67bda849998194f26110cb5ad05962641a9dc6ff99de2365a9f77d47f4271621a9e1107cf142adae87679f7bbd2f33653fad9cc1cf85

Download Submit