6a04be1c1281259ed6a51e81a5278525b462e452f6831fb000484f3457082d69

Analysis

max time kernel
150s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 11:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6a04be1c1281259ed6a51e81a5278525b462e452f6831fb000484f3457082d69_NeikiAnalytics.exe
Size

3.6MB
MD5

3ab915d36c68cf1f4615dbd9a1750920
SHA1

ce3cbccff3d8200032618f5a8e1e5a8bef955006
SHA256

6a04be1c1281259ed6a51e81a5278525b462e452f6831fb000484f3457082d69
SHA512

a5af1009e02de9a88873f3346da80f3a292a125454427d5fb949976e8bec34d4858db34118dda9ac0c36573a27b186dd455521dfd2df86b473d34258ff91e90c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpjbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe	6a04be1c1281259ed6a51e81a5278525b462e452f6831fb000484f3457082d69_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2924	locdevbod.exe
1160	adobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files9A\\adobec.exe"	6a04be1c1281259ed6a51e81a5278525b462e452f6831fb000484f3457082d69_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxTW\\optidevsys.exe"	6a04be1c1281259ed6a51e81a5278525b462e452f6831fb000484f3457082d69_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3436	6a04be1c1281259ed6a51e81a5278525b462e452f6831fb000484f3457082d69_NeikiAnalytics.exe
3436	6a04be1c1281259ed6a51e81a5278525b462e452f6831fb000484f3457082d69_NeikiAnalytics.exe
3436	6a04be1c1281259ed6a51e81a5278525b462e452f6831fb000484f3457082d69_NeikiAnalytics.exe
3436	6a04be1c1281259ed6a51e81a5278525b462e452f6831fb000484f3457082d69_NeikiAnalytics.exe
2924	locdevbod.exe
2924	locdevbod.exe
1160	adobec.exe
1160	adobec.exe
2924	locdevbod.exe
2924	locdevbod.exe
1160	adobec.exe
1160	adobec.exe
2924	locdevbod.exe
2924	locdevbod.exe
1160	adobec.exe
1160	adobec.exe
2924	locdevbod.exe
2924	locdevbod.exe
1160	adobec.exe
1160	adobec.exe
2924	locdevbod.exe
2924	locdevbod.exe
1160	adobec.exe
1160	adobec.exe
2924	locdevbod.exe
2924	locdevbod.exe
1160	adobec.exe
1160	adobec.exe
2924	locdevbod.exe
2924	locdevbod.exe
1160	adobec.exe
1160	adobec.exe
2924	locdevbod.exe
2924	locdevbod.exe
1160	adobec.exe
1160	adobec.exe
2924	locdevbod.exe
2924	locdevbod.exe
1160	adobec.exe
1160	adobec.exe
2924	locdevbod.exe
2924	locdevbod.exe
1160	adobec.exe
1160	adobec.exe
2924	locdevbod.exe
2924	locdevbod.exe
1160	adobec.exe
1160	adobec.exe
2924	locdevbod.exe
2924	locdevbod.exe
1160	adobec.exe
1160	adobec.exe
2924	locdevbod.exe
2924	locdevbod.exe
1160	adobec.exe
1160	adobec.exe
2924	locdevbod.exe
2924	locdevbod.exe
1160	adobec.exe
1160	adobec.exe
2924	locdevbod.exe
2924	locdevbod.exe
1160	adobec.exe
1160	adobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 2924	3436	6a04be1c1281259ed6a51e81a5278525b462e452f6831fb000484f3457082d69_NeikiAnalytics.exe	90
PID 3436 wrote to memory of 2924	3436	6a04be1c1281259ed6a51e81a5278525b462e452f6831fb000484f3457082d69_NeikiAnalytics.exe	90
PID 3436 wrote to memory of 2924	3436	6a04be1c1281259ed6a51e81a5278525b462e452f6831fb000484f3457082d69_NeikiAnalytics.exe	90
PID 3436 wrote to memory of 1160	3436	6a04be1c1281259ed6a51e81a5278525b462e452f6831fb000484f3457082d69_NeikiAnalytics.exe	93
PID 3436 wrote to memory of 1160	3436	6a04be1c1281259ed6a51e81a5278525b462e452f6831fb000484f3457082d69_NeikiAnalytics.exe	93
PID 3436 wrote to memory of 1160	3436	6a04be1c1281259ed6a51e81a5278525b462e452f6831fb000484f3457082d69_NeikiAnalytics.exe	93

C:\Users\Admin\AppData\Local\Temp\6a04be1c1281259ed6a51e81a5278525b462e452f6831fb000484f3457082d69_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6a04be1c1281259ed6a51e81a5278525b462e452f6831fb000484f3457082d69_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2924
- C:\Files9A\adobec.exe
  C:\Files9A\adobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4252,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4604 /prefetch:8
1⤵
PID:3276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files9A\adobec.exe

Filesize
3.6MB

MD5
baa6151a5cae7146a076ec28db2056dc

SHA1
b18166526e7fc400d3cf2e7c3fdf365588b8a216

SHA256
e42112bd6eac658f459cc2dbb3f40610d5da23aa76f62a9b1ba80613af1b0ab6

SHA512
15d1f64d45503357b9c3f56bb32daa8aad8f27990ec02301c853931964809f41cf95b848369e54927a53adee0521313ee35182c3ff22ebe4477a70f496dac835

Download Submit
C:\GalaxTW\optidevsys.exe

Filesize
467KB

MD5
3d4d6bbcff3716b4fb3851d48cf46e5f

SHA1
1de9dc4aca672e5073b8f109f5f4f1dd00887e6d

SHA256
53af17b463e7d36f7b4101ee52a82f1fd9ed77f4c6875a785924271327dc1260

SHA512
60159c1822808fd73757246a13d4650230f48013659a36e1e62cd1429443ce21c49e54f667bf526e9edc35d04e76f44a23d587b6c9f5ed74195d37793f2008ec

Download Submit
C:\GalaxTW\optidevsys.exe

Filesize
3.6MB

MD5
6fd5f3618e874993c7535b22cc2e08d1

SHA1
1f7cd7c88ab3d360d3670cd95d4a7b3345c898b3

SHA256
c7c085f65af257017bed3c960c4d17a3dbd6047a8acafcd13f3f1a143ac5647d

SHA512
9c72f39030420f3cc725c0050bcdcc6fece3e16914b2e32b0a43e65850c2a7f93f060cb0fbb3bcb6032bbc7f914fa53e3e92d8b82edf4a4ca48d7be5cff1720d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
49f4f216d983ea60deedb9fe7733c603

SHA1
4cad480fe958066eab4afd3a6396c9e76aa027a8

SHA256
5dfe1eae8747867e0eaea7deadf30fb7bcef12c63d429d9feb0524d09c826ea3

SHA512
8cd1200e0d2ed092bb9a160e40894b3a805da5c7a27313becfb3802e535090fd69a01160eb94f7c780a0b9b2664a6e778ac2e40fc0856a873a02c52d4799294b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
c36a556fa70d31f6577c420083b9e140

SHA1
755038692f250e0d09cd75ff7c636edb2423e617

SHA256
b6cbb50ac262ebb051b9d26b35dbe28095ce27239cb52e3281762abedee01343

SHA512
46b932e0929f761e0010639192643d645c30d376cf7cb3ed004629986e3ea3e055ce1aa6fca26ee0a0938d08652bf9e2ea7ca3abe4a063cf98c5bb49086b1bcd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

Filesize
3.6MB

MD5
92e8ca8926a5828c300b45a8426b63cb

SHA1
086d855fd0da174512e993e71e7946a989781ba5

SHA256
8cd862606e0c5af70448ad1bb9afa925cec00e7ff7c78f46715c0b3a1c139f15

SHA512
9cd151820e94ae26e3dff0f8fcdab85eb13dd5f163e2eea27a3540105f302ec1f6a63a800f03250b1cf78538acadcb571465627be23447c058653b687cebec14

Download Submit