00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20-06-2024 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731_NeikiAnalytics.exe
Size

3.6MB
MD5

77b682fc37c278fe276f3cb115885450
SHA1

d126625df474a97373a9491b77be7f8403c0eea8
SHA256

00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731
SHA512

9270f222a9695db18aa3d1ffe08a0fe9957f9bb08105ec6cb910917e626956ef2291cc0d8077d2cd30ac0bb64a344f78a2050ce800af0ebce052210e43eb045b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bSqz8:sxX7QnxrloE5dpUpubVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2572	sysdevbod.exe
2672	xdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2396	00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731_NeikiAnalytics.exe
2396	00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintPG\\dobxec.exe"	00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeN7\\xdobsys.exe"	00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2396	00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731_NeikiAnalytics.exe
2396	00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731_NeikiAnalytics.exe
2572	sysdevbod.exe
2672	xdobsys.exe
2572	sysdevbod.exe
2672	xdobsys.exe
2572	sysdevbod.exe
2672	xdobsys.exe
2572	sysdevbod.exe
2672	xdobsys.exe
2572	sysdevbod.exe
2672	xdobsys.exe
2572	sysdevbod.exe
2672	xdobsys.exe
2572	sysdevbod.exe
2672	xdobsys.exe
2572	sysdevbod.exe
2672	xdobsys.exe
2572	sysdevbod.exe
2672	xdobsys.exe
2572	sysdevbod.exe
2672	xdobsys.exe
2572	sysdevbod.exe
2672	xdobsys.exe
2572	sysdevbod.exe
2672	xdobsys.exe
2572	sysdevbod.exe
2672	xdobsys.exe
2572	sysdevbod.exe
2672	xdobsys.exe
2572	sysdevbod.exe
2672	xdobsys.exe
2572	sysdevbod.exe
2672	xdobsys.exe
2572	sysdevbod.exe
2672	xdobsys.exe
2572	sysdevbod.exe
2672	xdobsys.exe
2572	sysdevbod.exe
2672	xdobsys.exe
2572	sysdevbod.exe
2672	xdobsys.exe
2572	sysdevbod.exe
2672	xdobsys.exe
2572	sysdevbod.exe
2672	xdobsys.exe
2572	sysdevbod.exe
2672	xdobsys.exe
2572	sysdevbod.exe
2672	xdobsys.exe
2572	sysdevbod.exe
2672	xdobsys.exe
2572	sysdevbod.exe
2672	xdobsys.exe
2572	sysdevbod.exe
2672	xdobsys.exe
2572	sysdevbod.exe
2672	xdobsys.exe
2572	sysdevbod.exe
2672	xdobsys.exe
2572	sysdevbod.exe
2672	xdobsys.exe
2572	sysdevbod.exe
2672	xdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2572	2396	00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731_NeikiAnalytics.exe	28
PID 2396 wrote to memory of 2572	2396	00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731_NeikiAnalytics.exe	28
PID 2396 wrote to memory of 2572	2396	00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731_NeikiAnalytics.exe	28
PID 2396 wrote to memory of 2572	2396	00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731_NeikiAnalytics.exe	28
PID 2396 wrote to memory of 2672	2396	00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731_NeikiAnalytics.exe	29
PID 2396 wrote to memory of 2672	2396	00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731_NeikiAnalytics.exe	29
PID 2396 wrote to memory of 2672	2396	00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731_NeikiAnalytics.exe	29
PID 2396 wrote to memory of 2672	2396	00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2572
- C:\AdobeN7\xdobsys.exe
  C:\AdobeN7\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeN7\xdobsys.exe

Filesize
7KB

MD5
20ec6effd447fb35f7db816f8c616148

SHA1
c8c9edd9f30b93dc161fc035c69b57e7af305dce

SHA256
43b6a06c6d792569dc3a4b802a1882bcef34d458cb6c626267bf303fc8dc3fa7

SHA512
6a01a317698e30eec8ab65c628488a1e6108d6eb9dd6bdef9a769d497807ace3b68a23452d40d010b95f19759903bb9bc1910e8d7e46fa618aaa3fbf6a80fecf

Download Submit
C:\MintPG\dobxec.exe

Filesize
2.1MB

MD5
a90ab1b90579478842a89d7bfe8a0d7e

SHA1
b97e57922049622a4cf32b03aa683ae6518b471b

SHA256
5600057d7bdaa8534d9363a258e4a64f5e30db6454669cd321c8ab537bbf781c

SHA512
d5a52871615edcaf6a9b42787aaa9ca9aca897da8b197eac20dc6cf75d5adffffd21a9a232133d9893136982d8b2b6cebc50afe1802c769c5216979bd9592bfd

Download Submit
C:\MintPG\dobxec.exe

Filesize
3.6MB

MD5
26dea8ad12ef8fb8ed4b46d31d82e521

SHA1
94a0f74f9eb755c46170247a1175ae9c21d2f589

SHA256
a9c95bc0104d41b352df16bb534c2e9bfce2cd9f38938f956c427c898fe1ed9e

SHA512
8280f58322ca3ae33eb077e934374f93add9ff435501ffc0d971f70617ae802adb4a30af819632f32bbb7149ed81e201f7ad378d525e531cdcb708e34d4142f8

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
58475ffc90d325ca13f820b082e15cef

SHA1
e54613c6dcb3cd2fb4c4b2469b789198bee1d1e9

SHA256
33eef11164c735f52bb3d96159c89078255c1f5e27b4c3d370a095e6416710a7

SHA512
adec7342b679e3b0cdc511832a99f9c22d67f6cd5487c3e37d92f8ade5955f5bc7777503be83171322321857ed849fb9cf38ea94ce0f3aa2b28768015996d834

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
50683cfb93dad3df4fca01c2aef46c80

SHA1
59767cbe7ab25020a34651786fb80fe3d53d6d5c

SHA256
4fa28eb94a4520e0021aa1ae5a62040f416a7cc69d89b62e59d6ddf49d6eef2e

SHA512
0a3b72c92572e86695514d51596ff17efdcfaa8227963edacbb0b41732bf87217d69265db69a872ecda639d99857ca82e1224f84413f4dfcca97b485d4a173ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
3.6MB

MD5
805635332b3e0bbfbf0f95580052aea2

SHA1
a2e412768b5f96d2ed5705ff797c6c99a33aad63

SHA256
be2d931f391fb3e336ac0215a7e62d1ef1a98cb9f7cb18aa6cf5790c0ae2fa21

SHA512
6331f0c44b6b85c434051db4211cf207ca797671c71c978fe95040263e89d96371dc0201847684d47055675c75083ade1faa5a3cff635b6f1d05c6f4d77a4515

Download Submit
\AdobeN7\xdobsys.exe

Filesize
3.6MB

MD5
bce8b1291dc33bb322dbf15967c23be7

SHA1
bf0698c34630c0e699d7c3d722779da36d515c54

SHA256
78a2998a4d98234b6e273d72ad3f87766b9e50ef0835f63d6a6f137d162b0980

SHA512
677fb899a91435a1dd248649964dac76d7051df3c022fbc2df80e53167be8c6b9f43af78c5a5a2f728bd9d8ef6cbb4ef903fa0b9a9b7f666883ccc88796dbf4e

Download Submit