568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde_NeikiAnalytics.exe
Size

3.0MB
MD5

5ac992e91ffc386c3fa7e86f3f2d5400
SHA1

86ddcc2c16357e398e3bcf859ad7700b665f1036
SHA256

568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde
SHA512

983c6518d225185e6e6a377058d8b0f135d1e3b75a99c4d80727028d9816bb46f0023f16232cc1c1c983dbac6947df9f07bf2dca501f4bd2e711dda5a850b158
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bSqz8:sxX7QnxrloE5dpUp5bVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1524	locdevopti.exe
2664	devdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
3016	568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde_NeikiAnalytics.exe
3016	568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBVV\\dobaec.exe"	568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe6V\\devdobec.exe"	568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3016	568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde_NeikiAnalytics.exe
3016	568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde_NeikiAnalytics.exe
1524	locdevopti.exe
2664	devdobec.exe
1524	locdevopti.exe
2664	devdobec.exe
1524	locdevopti.exe
2664	devdobec.exe
1524	locdevopti.exe
2664	devdobec.exe
1524	locdevopti.exe
2664	devdobec.exe
1524	locdevopti.exe
2664	devdobec.exe
1524	locdevopti.exe
2664	devdobec.exe
1524	locdevopti.exe
2664	devdobec.exe
1524	locdevopti.exe
2664	devdobec.exe
1524	locdevopti.exe
2664	devdobec.exe
1524	locdevopti.exe
2664	devdobec.exe
1524	locdevopti.exe
2664	devdobec.exe
1524	locdevopti.exe
2664	devdobec.exe
1524	locdevopti.exe
2664	devdobec.exe
1524	locdevopti.exe
2664	devdobec.exe
1524	locdevopti.exe
2664	devdobec.exe
1524	locdevopti.exe
2664	devdobec.exe
1524	locdevopti.exe
2664	devdobec.exe
1524	locdevopti.exe
2664	devdobec.exe
1524	locdevopti.exe
2664	devdobec.exe
1524	locdevopti.exe
2664	devdobec.exe
1524	locdevopti.exe
2664	devdobec.exe
1524	locdevopti.exe
2664	devdobec.exe
1524	locdevopti.exe
2664	devdobec.exe
1524	locdevopti.exe
2664	devdobec.exe
1524	locdevopti.exe
2664	devdobec.exe
1524	locdevopti.exe
2664	devdobec.exe
1524	locdevopti.exe
2664	devdobec.exe
1524	locdevopti.exe
2664	devdobec.exe
1524	locdevopti.exe
2664	devdobec.exe
1524	locdevopti.exe
2664	devdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 1524	3016	568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde_NeikiAnalytics.exe	28
PID 3016 wrote to memory of 1524	3016	568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde_NeikiAnalytics.exe	28
PID 3016 wrote to memory of 1524	3016	568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde_NeikiAnalytics.exe	28
PID 3016 wrote to memory of 1524	3016	568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde_NeikiAnalytics.exe	28
PID 3016 wrote to memory of 2664	3016	568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde_NeikiAnalytics.exe	29
PID 3016 wrote to memory of 2664	3016	568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde_NeikiAnalytics.exe	29
PID 3016 wrote to memory of 2664	3016	568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde_NeikiAnalytics.exe	29
PID 3016 wrote to memory of 2664	3016	568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1524
- C:\Adobe6V\devdobec.exe
  C:\Adobe6V\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe6V\devdobec.exe

Filesize
3.0MB

MD5
46399156419be04d09118deb63d22fa5

SHA1
d9734c27cfc22c18730d3f4ea5f990dd48ac4a9a

SHA256
cc4892dcf5f83060e2215c0f9d08477c741b33f73f664da55620168e958a9c9f

SHA512
f38114525f6e27c9e1b3a1e400a109f081dd3d9e29b9b51685bdb8d2cc3dbf63f8aa88ecce32401cbb339ca1c8f104adaa2939a9b7232bbd3c3cb40e23ca17b8

Download Submit
C:\KaVBVV\dobaec.exe

Filesize
3.0MB

MD5
ed498252c8ba2293ed1d650a6050b677

SHA1
96c081b4e01b6ed4c5d571bce1989be2aa5e5143

SHA256
17fcc67e15ff1d88384d419a9a2d5dc68c25ea26a8601820babbd280ef11e2f4

SHA512
9e64b0e057d50921790efa3974eac8424bd6d6663e236c0a34ec8cd7d397687f3de70ef435953fa4b9e42269e474e0fe8dc1ef1dfceaf5c23ee8f4a7217deccd

Download Submit
C:\KaVBVV\dobaec.exe

Filesize
3.0MB

MD5
af6023667faab078071bf7655d5ca0d7

SHA1
da31d02f08afb968403ee521ccc6a0e289c10385

SHA256
5778268b7bd209f192be7f9b25e80227d4b64a9a4585e0461e4b023d793db616

SHA512
462dd5526220d18848eafb81e365f5a674cc79e94d395c1a313d51591894b1eeb3916297e797e83e11c807bd6626ab7b1a10f5c17174311640ab5bb535f64509

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
df7a188f0c50ecac4b5e554ba57b9fbf

SHA1
cca0298f3d1a9cbe7ff2538331d2b685ecfa46ee

SHA256
5819ef774885e9dc69c8348c50143cf489b11fbb1f3476f0a87c2563b2693bcc

SHA512
df08a078aad5daa4357c79e7e16fb8a216be84e89759a2130e8becaf270c1defb053e1c72d830e15d70f4185ef70a7a127e0bbb25b6579aab1ca77ad62f9ce0e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
01cbb6f7343578b6e14f66537618b3e6

SHA1
241d4a33434a5f5e9380295d5f21a3499dcd8f90

SHA256
e71d9421edfe54a4ffb774c7892f8a645994beb91669d67a19df9f7050c10d66

SHA512
f0b4bdb9915cdf6c9cd3b1eb12c38a7aba7fb0e5f5565b44a19776b28fb2bc054f1fd1011b6cb63f956fb29480fac936c6e42051f864672d2b947b4b648fec93

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
3.0MB

MD5
b0432913ad65bf7bdf004569f22ffd85

SHA1
736e1f247688268310f88712081a121aeccdc582

SHA256
d731c4f93055da7b5572fce3ebb3ced25a047a7cc6224c0cefa42d95aa268765

SHA512
fea66474eccd7bc6465578dc6a18d7f44923214d7bf689798679761f87dfbd5be2e5660bd2daf01e626bc01619365bcf594d80415a3f1625a8f80441a0a55cb8

Download Submit