8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df_NeikiAnalytics.exe
Size

3.0MB
MD5

80d342bb3525d39db873b7775eb563b0
SHA1

28b8867d01c8e2c5f8ed2bc58a4a12d9c63f9de4
SHA256

8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df
SHA512

24051e407fdff0f62959476f9fdb71422901e949d8a9a0ad37453bf38c06db575af113b651be460cfe49fa1933ab16eccdf8830b811115b217523f2479396f68
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB4B/bSqz8:sxX7QnxrloE5dpUp3bVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe	8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2812	ecadob.exe
2552	adobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1972	8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df_NeikiAnalytics.exe
1972	8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeZW\\adobloc.exe"	8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBYR\\dobdevsys.exe"	8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1972	8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df_NeikiAnalytics.exe
1972	8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df_NeikiAnalytics.exe
2812	ecadob.exe
2552	adobloc.exe
2812	ecadob.exe
2552	adobloc.exe
2812	ecadob.exe
2552	adobloc.exe
2812	ecadob.exe
2552	adobloc.exe
2812	ecadob.exe
2552	adobloc.exe
2812	ecadob.exe
2552	adobloc.exe
2812	ecadob.exe
2552	adobloc.exe
2812	ecadob.exe
2552	adobloc.exe
2812	ecadob.exe
2552	adobloc.exe
2812	ecadob.exe
2552	adobloc.exe
2812	ecadob.exe
2552	adobloc.exe
2812	ecadob.exe
2552	adobloc.exe
2812	ecadob.exe
2552	adobloc.exe
2812	ecadob.exe
2552	adobloc.exe
2812	ecadob.exe
2552	adobloc.exe
2812	ecadob.exe
2552	adobloc.exe
2812	ecadob.exe
2552	adobloc.exe
2812	ecadob.exe
2552	adobloc.exe
2812	ecadob.exe
2552	adobloc.exe
2812	ecadob.exe
2552	adobloc.exe
2812	ecadob.exe
2552	adobloc.exe
2812	ecadob.exe
2552	adobloc.exe
2812	ecadob.exe
2552	adobloc.exe
2812	ecadob.exe
2552	adobloc.exe
2812	ecadob.exe
2552	adobloc.exe
2812	ecadob.exe
2552	adobloc.exe
2812	ecadob.exe
2552	adobloc.exe
2812	ecadob.exe
2552	adobloc.exe
2812	ecadob.exe
2552	adobloc.exe
2812	ecadob.exe
2552	adobloc.exe
2812	ecadob.exe
2552	adobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2812	1972	8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df_NeikiAnalytics.exe	28
PID 1972 wrote to memory of 2812	1972	8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df_NeikiAnalytics.exe	28
PID 1972 wrote to memory of 2812	1972	8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df_NeikiAnalytics.exe	28
PID 1972 wrote to memory of 2812	1972	8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df_NeikiAnalytics.exe	28
PID 1972 wrote to memory of 2552	1972	8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df_NeikiAnalytics.exe	29
PID 1972 wrote to memory of 2552	1972	8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df_NeikiAnalytics.exe	29
PID 1972 wrote to memory of 2552	1972	8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df_NeikiAnalytics.exe	29
PID 1972 wrote to memory of 2552	1972	8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8eb234e94e4c69486886358f9c5f6e983aa2dfa10494be4ce720431b01bc28df_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2812
- C:\AdobeZW\adobloc.exe
  C:\AdobeZW\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeZW\adobloc.exe

Filesize
57KB

MD5
a54d72e8045190fcd1a7c29fae94a21c

SHA1
f2ea661cc3cf0731a34224f5856fb93924eb24b2

SHA256
0b20c762da9a21258c1c72f455e159b8dace732893ef98e5aa50977354b417f2

SHA512
695ebd676bd1ca7122544e8b8deb2955ca2b1188a1354b07706a7fc0b7a83480ec3d0f69b58b9d585933a9b10fc174c22ef9f24672c820f5088fa4a114a0c123

Download Submit
C:\KaVBYR\dobdevsys.exe

Filesize
113KB

MD5
f5f3740bdfc437cbb9a86a79eed01d8a

SHA1
f62d308b99241e5fa0ffd95e5308b3a0e655aafa

SHA256
d820e3ed971e9b9ac83125ccc49b3b298541863f1a235d35b43488b0ca7ded11

SHA512
fb08db61282be7378ddf2cf99f109e32e2244a5827c11e5c96669c5ecccf37cf9914e481344ee41f9b1ac16ac01f05df959d52509a8335ba08361a6186d66653

Download Submit
C:\KaVBYR\dobdevsys.exe

Filesize
3.0MB

MD5
803133bb43598991c1da6fb63c708758

SHA1
4ac50bdb42c69ed3e5f68199469b8c5bf5c5f271

SHA256
01ed55c87c308f7580f403de952a2e8ce93476b703ad867e3e4e623270aab5ad

SHA512
f38297dddf2a4d8d05b8a8608c9884e633d42258cc507e65eb9f10ca02799b5819cd7b0192731587c293daec37a33a19e202fb89692d435d785803aa5f86b74c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
2af9b1270a182a4399a02691775dc1c2

SHA1
f22846a8aa45b9940afbd98fd42a9b486a7a4f02

SHA256
c03fea4b775d28ee66de4d2fc62ceeccab996b6f321188efb99b20c00bedcfd6

SHA512
e07f41e2ec30cbf2c8df36dfb999229cde714f3324d9ee9d7cce04a8ff82f66fe097129dda68dc6a8858d31b4317bc427f5c8848c89c0e205add4997e4055dd1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
f972c5e4c0140fba9f009716e4cd7b69

SHA1
33058fe30867529e3328b3ccfdc925024e48d557

SHA256
5d34b96013b6adb91b97c723c10d8c9aa7643543668802533ab75d3dcb0b3f38

SHA512
c26ae81499717d5f3e0010c10594cc29a35a0d5399699b65926deb8e80da8eb1b3bdf4ec6dfc51d5279c5c26ec5959b4691bf08f8c8dc7c6d9f8ded30e1069e3

Download Submit
\AdobeZW\adobloc.exe

Filesize
3.0MB

MD5
aff40c6b0a55c4687d889ee26083dd66

SHA1
988c0143b3e0c4db4b192650e8782c16771e4ab8

SHA256
74c0293bb606fdcf6463c7be101ae4439f222e2c7013c58e6f8618b880621270

SHA512
1cd0390447b54f5681b52d101db510477aeb171637adfc561b6ad8086dcbcf086216c46d2b0fa980614b79838bfb1a6f20fdd79b0fb166852941cf03a1cfbd90

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

Filesize
3.0MB

MD5
0339880786d6fb81ab49f9de46c9c369

SHA1
d667cd9b6a9737c2ac633803608111797ccc5e78

SHA256
01c36bc6df0fb21b5b08a5d78e6225bfc955b15174d1b19e754e6945e9ac1b52

SHA512
6f2535addd15c109507eca466967e165493f8ff75bc9901cbcdf77ff715fa285d3c07d0d602a9b91b0fd404b905c89a3f201d539d3a2ecb9183dc8d246493ae0

Download Submit