21d391cdd14d379e1c182615619991685d5eea59f81d8fce667889d6f40de3f4

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe
Size

3.0MB
MD5

95862838317736fc73fb3b544a5986a0
SHA1

d87290e4a51c8ab2fe814521e546aaa9ec959098
SHA256

21d391cdd14d379e1c182615619991685d5eea59f81d8fce667889d6f40de3f4
SHA512

1c1c6afb967378aeea20e1bda1058c74993b2a20a7e4fe27de1c59ff3c94e919d878215b4ff395cf68c9ee54857d472f14cf72e24314b46e7da4a0bd308434cd
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqz8b6LNX:sxX7QnxrloE5dpUpLbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2380	ecdevdob.exe
4052	adobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeTC\\adobloc.exe"	95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZR3\\dobasys.exe"	95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
860	95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe
860	95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe
860	95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe
860	95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe
2380	ecdevdob.exe
2380	ecdevdob.exe
4052	adobloc.exe
4052	adobloc.exe
2380	ecdevdob.exe
2380	ecdevdob.exe
4052	adobloc.exe
4052	adobloc.exe
2380	ecdevdob.exe
2380	ecdevdob.exe
4052	adobloc.exe
4052	adobloc.exe
2380	ecdevdob.exe
2380	ecdevdob.exe
4052	adobloc.exe
4052	adobloc.exe
2380	ecdevdob.exe
2380	ecdevdob.exe
4052	adobloc.exe
4052	adobloc.exe
2380	ecdevdob.exe
2380	ecdevdob.exe
4052	adobloc.exe
4052	adobloc.exe
2380	ecdevdob.exe
2380	ecdevdob.exe
4052	adobloc.exe
4052	adobloc.exe
2380	ecdevdob.exe
2380	ecdevdob.exe
4052	adobloc.exe
4052	adobloc.exe
2380	ecdevdob.exe
2380	ecdevdob.exe
4052	adobloc.exe
4052	adobloc.exe
2380	ecdevdob.exe
2380	ecdevdob.exe
4052	adobloc.exe
4052	adobloc.exe
2380	ecdevdob.exe
2380	ecdevdob.exe
4052	adobloc.exe
4052	adobloc.exe
2380	ecdevdob.exe
2380	ecdevdob.exe
4052	adobloc.exe
4052	adobloc.exe
2380	ecdevdob.exe
2380	ecdevdob.exe
4052	adobloc.exe
4052	adobloc.exe
2380	ecdevdob.exe
2380	ecdevdob.exe
4052	adobloc.exe
4052	adobloc.exe
2380	ecdevdob.exe
2380	ecdevdob.exe
4052	adobloc.exe
4052	adobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 2380	860	95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe	92
PID 860 wrote to memory of 2380	860	95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe	92
PID 860 wrote to memory of 2380	860	95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe	92
PID 860 wrote to memory of 4052	860	95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe	93
PID 860 wrote to memory of 4052	860	95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe	93
PID 860 wrote to memory of 4052	860	95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe	93

C:\Users\Admin\AppData\Local\Temp\95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:860
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2380
- C:\AdobeTC\adobloc.exe
  C:\AdobeTC\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4180,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=3928 /prefetch:8
1⤵
PID:380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeTC\adobloc.exe

Filesize
3.0MB

MD5
d3dd65ef1ac251c24e9da7a2c0b4228c

SHA1
962b6923dafc12d15e811b0243c5437da7d020ae

SHA256
e5086daf8ce12550c1273a21b2b64a7d93ee5bcd4294998e27c2318ca5e99bd1

SHA512
1cf20369be31e1e0454b89e8c0e7e473f352dcd24f8fa7a8a226032931e230583e753f42b293660cf255ba4a3f3385f5cc393f6d1f6bd0bb7e2596b65f77a661

Download Submit
C:\LabZR3\dobasys.exe

Filesize
971KB

MD5
a92b0a690138968b5d0632086bd90c4b

SHA1
0d5ba0547d4627f3e38bc466714f71829c28fb26

SHA256
676465b1a7d7b8dc7515d1f149ef691e0b5f8e6c3b67c7c9ac5235b6bc1bad0b

SHA512
431420463c06167eae01b6874194056096795d4c9c9625a5de66f12444a008d5ce2ee86e052768974caaf4ef3adab46cfe46f98f6c48d22f55503b9627380d4d

Download Submit
C:\LabZR3\dobasys.exe

Filesize
3KB

MD5
b85ef880820ad2f02706b10170e533fb

SHA1
71378239fb161e35c8f79d7a951d7d09d4f45b33

SHA256
824b6d312a2dde817fb21948332f4b59c54118a25d0c2deb5bfc92aa1a9daa78

SHA512
f430b5b60b9ef1cf4efe9787c7b0f161b12f4212956a065e1f0b6a07907600fe307c8323482f6e6d85953fe9576ba09e3b9876d9c27e916f7ee62a9c3665a6d3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
1ae9aab5446890d698a6f461424992b4

SHA1
3c78f8660810f0156e8a8d3fc8feec264a19c551

SHA256
44e72cd286e3fd0e4e6d9c3cbf6f4786e4f627d6a8ec97974ba7c9f76ce99d83

SHA512
d7bd37cbcaf9ab254e656c361194d437bb4875fdebfe1d8aab7173004da273a3b3cd0f449724389edd31f74e264125fde946cc0641fdbc9bdef88fd061f952ee

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
6c935d1a63f54ea1d4570b5216d6087b

SHA1
bcbb90969e0959335aade8f2f785418e0316fffb

SHA256
65df515516d32bb86b8ab23991db4ac0ebefbf59ff9060522f29c84794e3b1b0

SHA512
4d64d459d9769feada531b39c74996cf321dce645073de5937453b57abb4dfb99bde939813ac62ec8e806ba7283949faee68ed32c11c11c370ae0b2a900515c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
3.0MB

MD5
49d7b94812ab38a93b1d9a876a8d40b6

SHA1
88922decd198a0591d811fa32616443d46edf8fb

SHA256
c513a7ee3e2b537669c833b6e1458e6892c762b2464c28bf4e478001abefad1d

SHA512
5bb4fddb4c18bc70b94fef49de0663d417eb2b618106ec3a1161c8e23e6d951b1ad535ea0d67cf315bb2d6ffd737f203b81957695f5077ac4dba69c1ada959be

Download Submit