a90e681347d0c97cd3b88c024d24bb30e3dee0c69cb0dbb62e802c11eeab3cf7

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
11-06-2024 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e3167f94e75e91a411fc3dc3bbcaf80_NeikiAnalytics.exe
Size

3.6MB
MD5

0e3167f94e75e91a411fc3dc3bbcaf80
SHA1

5211b129642a3864a346eeff4b45220824dd01ea
SHA256

a90e681347d0c97cd3b88c024d24bb30e3dee0c69cb0dbb62e802c11eeab3cf7
SHA512

22c10f1c2d880e48db9ce88f0b53ce297af8bf495d966f102dc194f2ac88c5e57c4739c473c92acd773aa8efce4b54de0287bf282ad9a141b667882b3852ab4e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bSqz8:sxX7QnxrloE5dpUpbbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	0e3167f94e75e91a411fc3dc3bbcaf80_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1212	ecdevbod.exe
2640	adobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2792	0e3167f94e75e91a411fc3dc3bbcaf80_NeikiAnalytics.exe
2792	0e3167f94e75e91a411fc3dc3bbcaf80_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe0Y\\adobsys.exe"	0e3167f94e75e91a411fc3dc3bbcaf80_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxLU\\dobasys.exe"	0e3167f94e75e91a411fc3dc3bbcaf80_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2792	0e3167f94e75e91a411fc3dc3bbcaf80_NeikiAnalytics.exe
2792	0e3167f94e75e91a411fc3dc3bbcaf80_NeikiAnalytics.exe
1212	ecdevbod.exe
2640	adobsys.exe
1212	ecdevbod.exe
2640	adobsys.exe
1212	ecdevbod.exe
2640	adobsys.exe
1212	ecdevbod.exe
2640	adobsys.exe
1212	ecdevbod.exe
2640	adobsys.exe
1212	ecdevbod.exe
2640	adobsys.exe
1212	ecdevbod.exe
2640	adobsys.exe
1212	ecdevbod.exe
2640	adobsys.exe
1212	ecdevbod.exe
2640	adobsys.exe
1212	ecdevbod.exe
2640	adobsys.exe
1212	ecdevbod.exe
2640	adobsys.exe
1212	ecdevbod.exe
2640	adobsys.exe
1212	ecdevbod.exe
2640	adobsys.exe
1212	ecdevbod.exe
2640	adobsys.exe
1212	ecdevbod.exe
2640	adobsys.exe
1212	ecdevbod.exe
2640	adobsys.exe
1212	ecdevbod.exe
2640	adobsys.exe
1212	ecdevbod.exe
2640	adobsys.exe
1212	ecdevbod.exe
2640	adobsys.exe
1212	ecdevbod.exe
2640	adobsys.exe
1212	ecdevbod.exe
2640	adobsys.exe
1212	ecdevbod.exe
2640	adobsys.exe
1212	ecdevbod.exe
2640	adobsys.exe
1212	ecdevbod.exe
2640	adobsys.exe
1212	ecdevbod.exe
2640	adobsys.exe
1212	ecdevbod.exe
2640	adobsys.exe
1212	ecdevbod.exe
2640	adobsys.exe
1212	ecdevbod.exe
2640	adobsys.exe
1212	ecdevbod.exe
2640	adobsys.exe
1212	ecdevbod.exe
2640	adobsys.exe
1212	ecdevbod.exe
2640	adobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 1212	2792	0e3167f94e75e91a411fc3dc3bbcaf80_NeikiAnalytics.exe	28
PID 2792 wrote to memory of 1212	2792	0e3167f94e75e91a411fc3dc3bbcaf80_NeikiAnalytics.exe	28
PID 2792 wrote to memory of 1212	2792	0e3167f94e75e91a411fc3dc3bbcaf80_NeikiAnalytics.exe	28
PID 2792 wrote to memory of 1212	2792	0e3167f94e75e91a411fc3dc3bbcaf80_NeikiAnalytics.exe	28
PID 2792 wrote to memory of 2640	2792	0e3167f94e75e91a411fc3dc3bbcaf80_NeikiAnalytics.exe	29
PID 2792 wrote to memory of 2640	2792	0e3167f94e75e91a411fc3dc3bbcaf80_NeikiAnalytics.exe	29
PID 2792 wrote to memory of 2640	2792	0e3167f94e75e91a411fc3dc3bbcaf80_NeikiAnalytics.exe	29
PID 2792 wrote to memory of 2640	2792	0e3167f94e75e91a411fc3dc3bbcaf80_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\0e3167f94e75e91a411fc3dc3bbcaf80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0e3167f94e75e91a411fc3dc3bbcaf80_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1212
- C:\Adobe0Y\adobsys.exe
  C:\Adobe0Y\adobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe0Y\adobsys.exe

Filesize
3.6MB

MD5
f5c5a52da5b5bb98d605976e2b03c968

SHA1
a32cffd99544761af9b4ea5a26cb2f86c8b0b585

SHA256
e8d81b896dd75b09cc0b4049d0290d9927a95f2bb0fb67ec3a3f6ac7830e355f

SHA512
d144031ba1b9dca66b4b110d97606c63eeec5ec08b0177095120b394743495560e6c030ad1c705e7183d1a0a1ef262768f4245d231e8fb95d6d761fa1e4d1ab7

Download Submit
C:\GalaxLU\dobasys.exe

Filesize
480KB

MD5
cfdea3bff6757b4462c16413db7012d4

SHA1
0dfa763a736a8efb6c743bd58a36170183b2278f

SHA256
4e2757cf3b625df35af6ff08d7ea026f36fa3b51d42adeaa500c3cc55aba4886

SHA512
d25ff81d203ca4e61701bab0027edc2aa48c7f80703f0875499089ca165fc168832fe93f34d365081f1672ac7a67d66631b1136fb0fbd97f0cf7e046f8ed436f

Download Submit
C:\GalaxLU\dobasys.exe

Filesize
3.6MB

MD5
4b22fb3ca7d1af9733d8fe7bf20988df

SHA1
0029a1cf143b8c7eeff313d6bac94762d7dc5458

SHA256
ef9d8cb570890145ed6dcc6622da1727ec28784ffcdc558de7ee2a5c36925147

SHA512
65eae736b5be252e17bc75db150dc9578e62556dd59bca231e0da865731214473b63e273221b1631611e11bb4dcf3c4036f3d72a1f7c654d6e5f3bdc4ecad7ac

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
22c0b7625fd092a5c4563b8543e5b18e

SHA1
bca512fb274b56a5dd911373f1410295f2597f65

SHA256
9175f8b7cbd1f19f39d153726d2c3dcd084c039f6603e4a9411f8de89793da42

SHA512
e6bc43594a094dbbda927a00d7431c77b2c454e4d4f5e511c711a4ba897500100968fda29fa72c97566dd6290ed1d763408399c17ef822077aa6d16c54b2e385

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
6baba9fd9d413aa803b33e39bfab00f2

SHA1
9550a56e378756708e25cd629c92eb24cc061b40

SHA256
8d3d2d64365dea81f95bc84eec71640578ae9747f8ef84ee3a77af4f16465c97

SHA512
bf286d4c9e4413bea274a861a5b35a0c76b31288f93dcacebc0bd7a657f7ba352d712d19814fe6c8b0ec58e99a6f90c664f617330d06df9b51243a1fc6c7bfbe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
3.6MB

MD5
5298d4abf0247c352ea4889124c24507

SHA1
ae46a39390f3c5bd6c2accc6bed7edcfb7fe4750

SHA256
9a6ee804bbb3b7e6f6a489a51b512bbbaa94534fc15dd5660b4d569596e846d1

SHA512
5c4bb480c0fe5055f266181c53f75b8f7bc204b889a50c5227c71476ee3dd427111b72c7483f801ebce79a2c8988b63c6291df8f804db4bf5d80ee56032a4691

Download Submit