413f2b3bcf7a0fe28af6a3e93e1987aedf1dcbfa0deb3ecd7eab63f64d01ed63

Analysis

max time kernel
149s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2024, 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe
Size

3.2MB
MD5

53fb1e59d27c4ec5b18cd522469ea850
SHA1

231336b6ec03827a24dcc69456853a6e5018e182
SHA256

413f2b3bcf7a0fe28af6a3e93e1987aedf1dcbfa0deb3ecd7eab63f64d01ed63
SHA512

51fd369c1576feab601e282cb40d284b34705451539df2f1d065f7e98e8ec9f126db07e3c45da6f83602f9a965d2cc1d32811dbf724cf0fa73de50292bccf5a3
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB9B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpKbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe	53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2884	ecadob.exe
2844	adobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvBN\\adobsys.exe"	53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax4B\\optialoc.exe"	53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3404	53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe
3404	53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe
3404	53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe
3404	53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe
2884	ecadob.exe
2884	ecadob.exe
2844	adobsys.exe
2844	adobsys.exe
2884	ecadob.exe
2884	ecadob.exe
2844	adobsys.exe
2844	adobsys.exe
2884	ecadob.exe
2884	ecadob.exe
2844	adobsys.exe
2844	adobsys.exe
2884	ecadob.exe
2884	ecadob.exe
2844	adobsys.exe
2844	adobsys.exe
2884	ecadob.exe
2884	ecadob.exe
2844	adobsys.exe
2844	adobsys.exe
2884	ecadob.exe
2884	ecadob.exe
2844	adobsys.exe
2844	adobsys.exe
2884	ecadob.exe
2884	ecadob.exe
2844	adobsys.exe
2844	adobsys.exe
2884	ecadob.exe
2884	ecadob.exe
2844	adobsys.exe
2844	adobsys.exe
2884	ecadob.exe
2884	ecadob.exe
2844	adobsys.exe
2844	adobsys.exe
2884	ecadob.exe
2884	ecadob.exe
2844	adobsys.exe
2844	adobsys.exe
2884	ecadob.exe
2884	ecadob.exe
2844	adobsys.exe
2844	adobsys.exe
2884	ecadob.exe
2884	ecadob.exe
2844	adobsys.exe
2844	adobsys.exe
2884	ecadob.exe
2884	ecadob.exe
2844	adobsys.exe
2844	adobsys.exe
2884	ecadob.exe
2884	ecadob.exe
2844	adobsys.exe
2844	adobsys.exe
2884	ecadob.exe
2884	ecadob.exe
2844	adobsys.exe
2844	adobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 2884	3404	53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe	85
PID 3404 wrote to memory of 2884	3404	53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe	85
PID 3404 wrote to memory of 2884	3404	53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe	85
PID 3404 wrote to memory of 2844	3404	53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe	86
PID 3404 wrote to memory of 2844	3404	53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe	86
PID 3404 wrote to memory of 2844	3404	53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe	86

C:\Users\Admin\AppData\Local\Temp\53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2884
- C:\SysDrvBN\adobsys.exe
  C:\SysDrvBN\adobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax4B\optialoc.exe

Filesize
3.2MB

MD5
aedf618ad1c2177a4022dc9a5f585bf3

SHA1
20c1f99899df996e43b0d2e12660841b811e2792

SHA256
714b27ae3d01d73705511e084585bafc058686111226aab858713ba1a1d85142

SHA512
32fa802549d593c5b2c8dbc16b605927f59b86d9997397b711505c3bd7823cd6f43703bb57a22a1b5bc39cd1016a21a01437845464e182eaab606ba1a5bcb0bc

Download Submit
C:\Galax4B\optialoc.exe

Filesize
550KB

MD5
306db0a0c82157510e63b751323e1032

SHA1
6a09350c79647c37fe4bcfe60fa7637162b7f758

SHA256
747290cde1fe5c8139d8c40f59f4478331771c9d1390f56fb1f68c585e4a128e

SHA512
d3b2f95adcd0f06f6c4519817e3cb87bcf60b71cd5b31c0e0bf6dae2f5a408b9bbc5b13691afd9de97ea2a290e625882a27e980ea212f91acb2409324c5e210f

Download Submit
C:\SysDrvBN\adobsys.exe

Filesize
3.2MB

MD5
8c6afc91f2ad7f85324cc48b1602c881

SHA1
a42261dfc140b1736ebc80b867a6c9ae6a24d32f

SHA256
07d9b27476cacde5bce5904e900ba87a12524f4371c3adb718cfcaef00afcb19

SHA512
ad46e1ed6c1728e986910ed07c8f74e41f29aec6229e6f5d5418ce99a80325222d0e9c5e6ae0e47dc4ee0a34cd9da6d3d9a152824d7980e10fdf8f6b360e5182

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
e12b1f3ba8b0c14ceb1a15bf81ed062a

SHA1
d544c037cb39a2107d6118a177021806212cd304

SHA256
4518ffd8d0fd0563a2fd43bca52fb331075192dc957c44169f1857b5feaaa33e

SHA512
d7a6dbea112f846feb1564e7fe0471e720c259eabeb401180fe1e5829e27e394080d91b68968e4a9612eaffd49136892c957b3cd54e161ff65de8cca053fc08c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
84214d2a1441e4ff6a44269177ebbc22

SHA1
873920891f48e7045a899dda5a0737e05ad3d523

SHA256
5b07996221e081812dff562b0a69b5b4947064a23e762f487d2348442932a9a1

SHA512
05aad4bbce8c06277e9367fbd8282f63ed616957129cbd39747ea0b64d01960798673648eeb5fdd5dc76e3d807ab6c9d9f028d0e48bc8369b0b49e0843dd157f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

Filesize
3.2MB

MD5
3bdfa0bf1195534157e24d988ff07519

SHA1
2bc9ff6418be51d6bc06d7c8261aaa6cc049270d

SHA256
faae552a45c26b9c9cb87adf5310a4562117d47b4278f2f33c12cd43b9873ac2

SHA512
0207ec48b90d4e66e35af3e85d9f2c3db194762475d165736b076f4ca39bb210aadf2115ef18b88aa3f677424d8241d9d79bf35ebed2eaf5b13c4ac721564dd2

Download Submit