1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913

Analysis

max time kernel
150s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
23/06/2024, 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe
Size

3.9MB
MD5

4f90d7054ab313f8b7e02c63fb3bf6a0
SHA1

8166579a770cfd69805ef2158218960a8087ef34
SHA256

1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913
SHA512

26ccea2e76bbe15b765cbe3026e971b0e107d87541f81c5c3ecab436bdc45b6b6a6735eaa9aafbbfdbc514916b51c2e21acf8a293a25b62fe635a0eff7c170cb
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpubVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1620	sysdevopti.exe
2056	adobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeFS\\adobloc.exe"	1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidMR\\boddevloc.exe"	1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4868	1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe
4868	1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe
4868	1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe
4868	1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe
1620	sysdevopti.exe
1620	sysdevopti.exe
2056	adobloc.exe
2056	adobloc.exe
1620	sysdevopti.exe
1620	sysdevopti.exe
2056	adobloc.exe
2056	adobloc.exe
1620	sysdevopti.exe
1620	sysdevopti.exe
2056	adobloc.exe
2056	adobloc.exe
1620	sysdevopti.exe
1620	sysdevopti.exe
2056	adobloc.exe
2056	adobloc.exe
1620	sysdevopti.exe
1620	sysdevopti.exe
2056	adobloc.exe
2056	adobloc.exe
1620	sysdevopti.exe
1620	sysdevopti.exe
2056	adobloc.exe
2056	adobloc.exe
1620	sysdevopti.exe
1620	sysdevopti.exe
2056	adobloc.exe
2056	adobloc.exe
1620	sysdevopti.exe
1620	sysdevopti.exe
2056	adobloc.exe
2056	adobloc.exe
1620	sysdevopti.exe
1620	sysdevopti.exe
2056	adobloc.exe
2056	adobloc.exe
1620	sysdevopti.exe
1620	sysdevopti.exe
2056	adobloc.exe
2056	adobloc.exe
1620	sysdevopti.exe
1620	sysdevopti.exe
2056	adobloc.exe
2056	adobloc.exe
1620	sysdevopti.exe
1620	sysdevopti.exe
2056	adobloc.exe
2056	adobloc.exe
1620	sysdevopti.exe
1620	sysdevopti.exe
2056	adobloc.exe
2056	adobloc.exe
1620	sysdevopti.exe
1620	sysdevopti.exe
2056	adobloc.exe
2056	adobloc.exe
1620	sysdevopti.exe
1620	sysdevopti.exe
2056	adobloc.exe
2056	adobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 1620	4868	1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe	87
PID 4868 wrote to memory of 1620	4868	1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe	87
PID 4868 wrote to memory of 1620	4868	1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe	87
PID 4868 wrote to memory of 2056	4868	1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe	88
PID 4868 wrote to memory of 2056	4868	1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe	88
PID 4868 wrote to memory of 2056	4868	1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1620
- C:\AdobeFS\adobloc.exe
  C:\AdobeFS\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeFS\adobloc.exe

Filesize
3.9MB

MD5
3fd9ef6bce3b10278159ed28450e13e3

SHA1
96b15b235f58af143f291d076427610f809c694a

SHA256
e0315d8097eebb05f3bc2ef49b0ca76b97d0ef9f8760c7cb195eb327089f8eec

SHA512
cb0bc40ab25e3ec4a14b20593231c8c1cda8377a19ee3df9d30420e77c17ae74745e07961dbaa2e8878de3a4a0bf0397ac409098dea0dbb0fa1aedb5f2076b80

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
8cffa05aaf1057fa9aa2f6a0f65b3915

SHA1
d13a4b481fddafa6b9931239b7a8064c273aab39

SHA256
4bd838e321d2fa8b09a749c0eeb63140b2182dc37b1b4cc046cc17f14edeac5e

SHA512
cc4bc71915cd63ad933255cf9c597d0f57f5d1feb6557f7ce1d3dbbadc30cb20d70436c948b8b02c98bb2efc7fea6c876ecc1289902339674666f7b58228b250

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
0ac5496c0f5065894058f4b60d98a7c0

SHA1
5aa9ada5dffc34bff55e68e35e49084c77a6b8b6

SHA256
02c59313328eb0640eb4a13c7daa9c4e72d34afb67d2f8d336423c4b1f308c6b

SHA512
e139d1630dbb9ff5c857281f971644ffda12375f29c5ab10a1089fdd40bf3aed67b877ce88d54c0352dbb1ddf4e5fd8cf0fc52a58ecd92d78824cfaec934f85a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
3.9MB

MD5
d3a8f44f1649b24ba2d0e6bd06fe59d5

SHA1
ee698d4afbf9660ce5b5750f905acd1d7d8d3dbf

SHA256
4fb0fa228ac77f60a9bd3ee99ba012a7448a9e889c957b5e91f355d8da795ae1

SHA512
ad8b2c3f6dcf3d33028b2e24b9cede5b1818da20f6f6b910a70d7a00729e425e1a746187aade90fb4fcaa6fd658679b03c0a0c3d983fbe1ac9c74197629a39a1

Download Submit
C:\VidMR\boddevloc.exe

Filesize
5KB

MD5
c346de548654eab088b033eeb72e5ab8

SHA1
61d5e6da50d6f7b00217db8a4faeabab00794f6b

SHA256
1521865ffa35423f24e6bdb83604d41a34fc1c35747152e884821e8d8880940c

SHA512
71996885c5bf78369a6b117b33876a4ff88a61e474d45695d776216dbf0c5c67b726e0167ec40d11578f9ff9e4f05d4d09be5b84116cab7e67d7e09c4188b2df

Download Submit
C:\VidMR\boddevloc.exe

Filesize
97KB

MD5
cf1de8d0c96c032a98804976977b3eda

SHA1
6593c371927d1ffecc28e157cc78dffdb5959f83

SHA256
ccaf92365f21e15400c23df13a91454ef04b581455b6f1738877863f7083b4f0

SHA512
e8736c1e85c0a9ee7a6f65c2da9d264affaced060e6431fe238b3b42b0858fdca970b5f3828ef68bae020f61216729fa1eb2ea2126aaa80613a7a75f76786de8

Download Submit