935453681f310399b50e23d7db0f93177ce33099b79f8355b7f2898ed2ae689f

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 23:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0ceca65c03d9c1a1657e3f12be7a2660_NeikiAnalytics.exe
Size

3.2MB
MD5

0ceca65c03d9c1a1657e3f12be7a2660
SHA1

3f2a67e3dec6f009e9a223fa5e6be6cee588bfb1
SHA256

935453681f310399b50e23d7db0f93177ce33099b79f8355b7f2898ed2ae689f
SHA512

a58dce716ac8f40b2308c89f7f0c2415e9ab93f8027bb1211aa00f150266ceda860bd9f6b31ee38c3f3fb5ad756f91fe8b822d28f356cefbf6d251b571965922
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpBbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	0ceca65c03d9c1a1657e3f12be7a2660_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2972	locxdob.exe
4996	devdobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocG0\\devdobec.exe"	0ceca65c03d9c1a1657e3f12be7a2660_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB7E\\dobdevloc.exe"	0ceca65c03d9c1a1657e3f12be7a2660_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4764	0ceca65c03d9c1a1657e3f12be7a2660_NeikiAnalytics.exe
4764	0ceca65c03d9c1a1657e3f12be7a2660_NeikiAnalytics.exe
4764	0ceca65c03d9c1a1657e3f12be7a2660_NeikiAnalytics.exe
4764	0ceca65c03d9c1a1657e3f12be7a2660_NeikiAnalytics.exe
2972	locxdob.exe
2972	locxdob.exe
4996	devdobec.exe
4996	devdobec.exe
2972	locxdob.exe
2972	locxdob.exe
4996	devdobec.exe
4996	devdobec.exe
2972	locxdob.exe
2972	locxdob.exe
4996	devdobec.exe
4996	devdobec.exe
2972	locxdob.exe
2972	locxdob.exe
4996	devdobec.exe
4996	devdobec.exe
2972	locxdob.exe
2972	locxdob.exe
4996	devdobec.exe
4996	devdobec.exe
2972	locxdob.exe
2972	locxdob.exe
4996	devdobec.exe
4996	devdobec.exe
2972	locxdob.exe
2972	locxdob.exe
4996	devdobec.exe
4996	devdobec.exe
2972	locxdob.exe
2972	locxdob.exe
4996	devdobec.exe
4996	devdobec.exe
2972	locxdob.exe
2972	locxdob.exe
4996	devdobec.exe
4996	devdobec.exe
2972	locxdob.exe
2972	locxdob.exe
4996	devdobec.exe
4996	devdobec.exe
2972	locxdob.exe
2972	locxdob.exe
4996	devdobec.exe
4996	devdobec.exe
2972	locxdob.exe
2972	locxdob.exe
4996	devdobec.exe
4996	devdobec.exe
2972	locxdob.exe
2972	locxdob.exe
4996	devdobec.exe
4996	devdobec.exe
2972	locxdob.exe
2972	locxdob.exe
4996	devdobec.exe
4996	devdobec.exe
2972	locxdob.exe
2972	locxdob.exe
4996	devdobec.exe
4996	devdobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 2972	4764	0ceca65c03d9c1a1657e3f12be7a2660_NeikiAnalytics.exe	83
PID 4764 wrote to memory of 2972	4764	0ceca65c03d9c1a1657e3f12be7a2660_NeikiAnalytics.exe	83
PID 4764 wrote to memory of 2972	4764	0ceca65c03d9c1a1657e3f12be7a2660_NeikiAnalytics.exe	83
PID 4764 wrote to memory of 4996	4764	0ceca65c03d9c1a1657e3f12be7a2660_NeikiAnalytics.exe	84
PID 4764 wrote to memory of 4996	4764	0ceca65c03d9c1a1657e3f12be7a2660_NeikiAnalytics.exe	84
PID 4764 wrote to memory of 4996	4764	0ceca65c03d9c1a1657e3f12be7a2660_NeikiAnalytics.exe	84

C:\Users\Admin\AppData\Local\Temp\0ceca65c03d9c1a1657e3f12be7a2660_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0ceca65c03d9c1a1657e3f12be7a2660_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2972
- C:\IntelprocG0\devdobec.exe
  C:\IntelprocG0\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocG0\devdobec.exe

Filesize
3.2MB

MD5
9aea99c520bda6674d9c28662936f829

SHA1
1665b2c59843977c874b06ceb50edfda23c3f843

SHA256
86a3ecd47353294f57f488f1abf29bcc2cd0581f3bab852e4414415e33db2a8c

SHA512
25e427210ebd331b1eb893fb9dc77b04febd5befdb749f9ff77c60fe6cc103af16a85ecf2d89d582c1422bbae89d7f6e5beddbb26a304cc5d393a1a49ab254d6

Download Submit
C:\KaVB7E\dobdevloc.exe

Filesize
3.2MB

MD5
668a9c2cb0403c7979e532026e586050

SHA1
eaef8179b84115d5542e8b7faf490795b97fc056

SHA256
401a9213b3f7e73eaf6997161976ca7c13b1e41bc0dc03121007d98a06a68976

SHA512
987711e5383b7ed6cda873ec2c7f396d927ab1cc64974e53e118e71911ff01838367752bcb04f2863cd71c6de17a6882219b5b1254fca4b7c689adde7a7d7bce

Download Submit
C:\KaVB7E\dobdevloc.exe

Filesize
1.4MB

MD5
b1a24c718b79682924350f9dd0615283

SHA1
12b9461fa345673b78475996b0cf6e4cff52dc73

SHA256
780c88b6d36411893db98d4cc23f8515a853302e217babeecbd0beb39aa84549

SHA512
4e3ac8f00546d7f69d3f4427c8c02e5f14da349373decde5cd5c6cfff51afa11e0922badafd5ab49622e1cfb3f6fa3a4111b359a76e6e6b97b9a5d5db6ce3a4b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
ca93bf1e88475715034cd0a67b10318b

SHA1
3fbea25ec949bced30dd05792b5616e4d2187a7d

SHA256
d127269aacb4199a5751344de8305229b185b89f806fb7a106ad4a31060e9a96

SHA512
e188432a4ff3a275b1d412d970a762015773975941df77e1d5e2e6ee49369e5161c21965cd6afac6ec50c7ff2d71d83324dd9050d1f061d2051499a535f8e470

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
175B

MD5
2dc9d223b489ae3d339bc05ebe1ebb2f

SHA1
63d6548844dfc553f88ce4fdb89ab4cdfb107fe9

SHA256
7d01592d7127b741f1c6ffb49a5d9b38a99ec7b4210d32967489178d831acfb2

SHA512
ea57557e5ccd1b0ecd33f3d198b877a42b4bef50f6734b59d736b0190deb5f6551100a0eeaa003ff32ab482b4e58d955f134b7e9e787546de583c51f0c3f3abe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
3.2MB

MD5
d65857f77ce06f57f788b55316ea8177

SHA1
49b095de46f85fbf9e1a14e260f7fb611afc8e2f

SHA256
e0261ce5afd3937128f42387e44d0decd8554ed7d8a6fe219e919aa81b00d221

SHA512
778323a44f56598319706b30b5ccc6fc29b84d93df1b06bb42fe361085c5f59bb9409225948b7d7b23b1f2db7a194067aa64d2782499d84fece01e5036bd96e0

Download Submit