b6aa7af9089ea78b3c39035ecb47a1aa6a564c4d73a5cc760f8849f34ca3406a

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
05/06/2024, 04:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

36994ebab263562d55cbf92317caca40_NeikiAnalytics.exe
Size

3.0MB
MD5

36994ebab263562d55cbf92317caca40
SHA1

fc16359924d25c42b4b47ea9cbeffb1e35885ff5
SHA256

b6aa7af9089ea78b3c39035ecb47a1aa6a564c4d73a5cc760f8849f34ca3406a
SHA512

da51a7cf18eccb2bd5cd93316ea288773b26e99b4a4ed11549d4a62bd81a9799404d276697f97008ccf0e3887dcae475df0641f0d25f62edfb828402d6ae10a0
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bSqz8:sxX7QnxrloE5dpUpobVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	36994ebab263562d55cbf92317caca40_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1960	locxbod.exe
2468	adobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
1936	36994ebab263562d55cbf92317caca40_NeikiAnalytics.exe
1936	36994ebab263562d55cbf92317caca40_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe5E\\adobsys.exe"	36994ebab263562d55cbf92317caca40_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintLL\\dobasys.exe"	36994ebab263562d55cbf92317caca40_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1936	36994ebab263562d55cbf92317caca40_NeikiAnalytics.exe
1936	36994ebab263562d55cbf92317caca40_NeikiAnalytics.exe
1960	locxbod.exe
2468	adobsys.exe
1960	locxbod.exe
2468	adobsys.exe
1960	locxbod.exe
2468	adobsys.exe
1960	locxbod.exe
2468	adobsys.exe
1960	locxbod.exe
2468	adobsys.exe
1960	locxbod.exe
2468	adobsys.exe
1960	locxbod.exe
2468	adobsys.exe
1960	locxbod.exe
2468	adobsys.exe
1960	locxbod.exe
2468	adobsys.exe
1960	locxbod.exe
2468	adobsys.exe
1960	locxbod.exe
2468	adobsys.exe
1960	locxbod.exe
2468	adobsys.exe
1960	locxbod.exe
2468	adobsys.exe
1960	locxbod.exe
2468	adobsys.exe
1960	locxbod.exe
2468	adobsys.exe
1960	locxbod.exe
2468	adobsys.exe
1960	locxbod.exe
2468	adobsys.exe
1960	locxbod.exe
2468	adobsys.exe
1960	locxbod.exe
2468	adobsys.exe
1960	locxbod.exe
2468	adobsys.exe
1960	locxbod.exe
2468	adobsys.exe
1960	locxbod.exe
2468	adobsys.exe
1960	locxbod.exe
2468	adobsys.exe
1960	locxbod.exe
2468	adobsys.exe
1960	locxbod.exe
2468	adobsys.exe
1960	locxbod.exe
2468	adobsys.exe
1960	locxbod.exe
2468	adobsys.exe
1960	locxbod.exe
2468	adobsys.exe
1960	locxbod.exe
2468	adobsys.exe
1960	locxbod.exe
2468	adobsys.exe
1960	locxbod.exe
2468	adobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 1960	1936	36994ebab263562d55cbf92317caca40_NeikiAnalytics.exe	28
PID 1936 wrote to memory of 1960	1936	36994ebab263562d55cbf92317caca40_NeikiAnalytics.exe	28
PID 1936 wrote to memory of 1960	1936	36994ebab263562d55cbf92317caca40_NeikiAnalytics.exe	28
PID 1936 wrote to memory of 1960	1936	36994ebab263562d55cbf92317caca40_NeikiAnalytics.exe	28
PID 1936 wrote to memory of 2468	1936	36994ebab263562d55cbf92317caca40_NeikiAnalytics.exe	29
PID 1936 wrote to memory of 2468	1936	36994ebab263562d55cbf92317caca40_NeikiAnalytics.exe	29
PID 1936 wrote to memory of 2468	1936	36994ebab263562d55cbf92317caca40_NeikiAnalytics.exe	29
PID 1936 wrote to memory of 2468	1936	36994ebab263562d55cbf92317caca40_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\36994ebab263562d55cbf92317caca40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\36994ebab263562d55cbf92317caca40_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1960
- C:\Adobe5E\adobsys.exe
  C:\Adobe5E\adobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe5E\adobsys.exe

Filesize
3.0MB

MD5
8aedc0b1ea447d89b7d296d0a874c77a

SHA1
51f96de44cc44f17c2857d3a033b24df097f76fa

SHA256
c7859afa837b78090ee3fa36b82c08bdb2a02f10b569abad0a74807efd63f450

SHA512
c6d812f923b38b082cb270805bcae74649b0d710fa7f9ab6c8e47353d6a61797543e3e3a0dcf7823af059e1b50b6ba8ff23956f79e192d97a55c5c16d35e9421

Download Submit
C:\MintLL\dobasys.exe

Filesize
1.2MB

MD5
2e05f127ee18099a42240cbfdecd6328

SHA1
ae39618bbe180159dea3a0332a9a6e7e88ff8acf

SHA256
f71802893d99df605ef0621a597ef414f2de7c7078c5b4823a65e801643d19cc

SHA512
86cae2dbe4041d6f0a5bd61e193b571bea289a0aaff36e4c0f41304a8ab33744839831aea0551218c24daaec4830168f3774169e42f2168b0fc42d1f2cfc7992

Download Submit
C:\MintLL\dobasys.exe

Filesize
349KB

MD5
ec45217c69c1e69382f075a1bc460ccf

SHA1
01d7b241efad3bcae5c0f06fe946e87482b83831

SHA256
68dc333109362df4ec08ea13f961c36effbb22454ee13add8ee0683324ae7eb9

SHA512
85f7ef4d365fbe43d17574f35bdc314095a4b286b0f80e3bf5811448e3e89fb460a20b50d868fb4f4c71be9c68b8c44e9453bf246e2e8e32e79bdb9000d16346

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
9c755174ad82c82730a0f9fc911af066

SHA1
32dcb3f0bae354b66a2ce6792d76dfb96c40a12d

SHA256
43a35209a18a0bfdc809cc4376fce7bd23855d03c219058a8bcbefb130f49417

SHA512
ecfd68c22f837792f7320347d9681f52b59089f504d07f479a7625a57fd28fdd34a8f26f8544065b126eaf92fb956df121d717d9ce9c6d15d5bb0a58dee4b283

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
da974ca803024abf43053fa794b91f71

SHA1
ce40176051142ebf78bc1153a8306eb3ca99080d

SHA256
b657e46cdabfe5471a18c30cc194bee468656aaaa4ff3349b606afd62a48c4ea

SHA512
32ea8438d5334de668ae5062f61449f0de794a2cd40e68458b199b16957805e00db8a4cdd4fac4f947fe2e0ba0855af4e46006e37e6fae8f8a369bda28cd4d96

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
3.0MB

MD5
b1f4393c6fbafcc18faa61158147c53f

SHA1
2ff60d33b666ef395315b580f69712afb31d4ad3

SHA256
dc8df215bab22f0b7c070c92c164bd2d0034c08a55105ea6ff583ceb08b5e9aa

SHA512
4416ce4c027a59267437b032c2064ec1d467ba08460dc628c0e8da181449915008d8f769e85ec08bac9bebd8141184b0dd1249fe211f07201722ace1b140ec8a

Download Submit