6bd7fbabc7f02464b028511e5113e315ab54f895e39e91e731004b5de4152d69

Analysis

max time kernel
141s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bd7fbabc7f02464b028511e5113e315ab54f895e39e91e731004b5de4152d69_NeikiAnalytics.exe
Size

1.2MB
MD5

22f17ff2ff2a520b7362e2f5c07caef0
SHA1

7b5596961b478a5d7e0180bbebdb94fa1eead2d4
SHA256

6bd7fbabc7f02464b028511e5113e315ab54f895e39e91e731004b5de4152d69
SHA512

58bdbf6b80f6073a372a23cc01a8541103978663117e2a2a7db7bf7c44aff90987c3e1f42042ca048871ab8b60d9d3f99d8a03ae6344ef265954bfb18815a458
SSDEEP

12288:pJB7d0NxksRpWE9FRHSfNm1wgbIxnBw7dzE+e3gxZC6LgjigDy5fdv8fWi+s:XBCks7WE9F5pwg8zmdqQjC60jiHkU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
1892	alg.exe
4080	DiagnosticsHub.StandardCollector.Service.exe
4604	fxssvc.exe
4896	elevation_service.exe
5004	elevation_service.exe
3728	maintenanceservice.exe
3284	OSE.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	6bd7fbabc7f02464b028511e5113e315ab54f895e39e91e731004b5de4152d69_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\35e84794b3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	6bd7fbabc7f02464b028511e5113e315ab54f895e39e91e731004b5de4152d69_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	6bd7fbabc7f02464b028511e5113e315ab54f895e39e91e731004b5de4152d69_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	6bd7fbabc7f02464b028511e5113e315ab54f895e39e91e731004b5de4152d69_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	6bd7fbabc7f02464b028511e5113e315ab54f895e39e91e731004b5de4152d69_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5076	6bd7fbabc7f02464b028511e5113e315ab54f895e39e91e731004b5de4152d69_NeikiAnalytics.exe
Token: SeAuditPrivilege	4604	fxssvc.exe
Token: SeDebugPrivilege	1892	alg.exe
Token: SeDebugPrivilege	1892	alg.exe
Token: SeDebugPrivilege	1892	alg.exe

C:\Users\Admin\AppData\Local\Temp\6bd7fbabc7f02464b028511e5113e315ab54f895e39e91e731004b5de4152d69_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6bd7fbabc7f02464b028511e5113e315ab54f895e39e91e731004b5de4152d69_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3884

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4604

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5004

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3728

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1332 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
1⤵
PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
650e9f22a4450124ae220588f37da19b

SHA1
2f085c85d3fb83a415d422f3998e5560f42ad056

SHA256
e6858ac9ed8a155a9bf1f1d11e61e59e67496ca0121ac182fb45308f01f12ac7

SHA512
705a83fe7a67c13e1f7be6c3e173613047ec78c8ce9058f55eeaf92127b306bb34f7c472e413f989d4b380866030ddf38301e386ac7298b53fd467d88e7bfe3b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
87be562d3d4972f1938f25f6ceb5026d

SHA1
e22ce3080f288dd55d6387e62806108eb10cff31

SHA256
2a11e4dce8826844a4d749dfaf4bba90639d5c3744e57f8136fbb8d1de9faa81

SHA512
f46dd83f778f7848274053774d804cf7e6a23cb694af2eeb67c3132c29b93c7a07bf8cc391790a921548ba6e3acce0f5d636f6df07d1376b48eb19d371e8f753

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
f0e27b3f54d44faf86c3b6405314c16a

SHA1
6f427fc16808b3807daf064f16fc9dc8ef12ed03

SHA256
6d0b434e6f9184e13ea49443266368bddf77741e67cebcc7cf01780ba4e82ea5

SHA512
9fcbf5400a81916ea62983ac9c031297aca720673e41d515c4b5d9c283484a87f330b937b822d6133483f36ecdfa5b71d0f0e59ee13a5d764612a9a0325d8a15

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
8dace18c2e5de16236c4b72ab2f7e9ae

SHA1
f8c61cf4c2a7f9262aa1bb831418acacf4f69798

SHA256
012f8d7445696da7603efb48c81d45ef6db1503c0a5b75c1d3df10102b739915

SHA512
4728c12cc34d86f760f3daff61d2d4f4502aa24beab8b5584fb57ed5cdaa498ebe98b4b71274eac6df93389c733bb7252b3f4b9ae7d72665f70a7e11c099c9cf

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
8ac98c4b498d294031c756d51068760c

SHA1
3f845883bb4840854bddc305bf4f6ff777bca410

SHA256
6c319f633b2531fa8a39bacc23026ddbae8612a1fa98c2afc0e14613bde03ab1

SHA512
f94f285d784cee05f1ddbacc2c6608985ee89925cadfa557852dc3522dd12f59803ceb2aee68465f4419555d455ba1aa54b637f104285920df31ff6df13ef161

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b8c0145ca960c0a6b30fb2d4cdc58e57

SHA1
d5ec86afac7f676226fb1a0ad107a06d2c5ca45d

SHA256
a4c047664b11c8d14ca0c8de14de8e351c3853e43acace31c977192ee8cdff32

SHA512
778aac82825d285bde280c3e00a9ed36a5ac7c2f5d44c145fbb2f26e26cd35d633bfb7ea1dd91ffb6a32c5c909fd6d134b405f46bc735fe17c3201c34fbb3ff3

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
9a3b15ce4b410c5803dcd6f6cfadad38

SHA1
c484e1264125df9c0126f45a36a41795487904a3

SHA256
5ff934555f75ef5f376831aaa8717f399c856152269829ca00703160742d0cda

SHA512
904a2e57de1723f48d55c1108b571c737ef4f82a38270701f277f5a0b73670b63370976202e792f7344d539f5c8fd9c8cb4d5553ac083209c3fe963cb823f58c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f6e2ad9fea7d9b13fef6d65296a5c71b

SHA1
11690b49b9417b8e820bdd5e075a4a42e69b9f9a

SHA256
dca2524273932765cb956527a3cede8e813f8d3f7224688c8d074832e8c9d223

SHA512
24b467ca8a62628739b9c287dec7eb58125419f97e697fa4f6f24bf7864ed38d3484532839e2aa99ab502d1b624ae84d322452e2131d455f67e52c166bbf7702

Download Submit
memory/1892-13-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1892-21-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1892-12-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1892-114-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3284-103-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3284-95-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3284-223-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3728-92-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/3728-90-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/3728-81-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/3728-87-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/3728-80-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/4080-26-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4080-35-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4080-139-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4080-32-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4604-43-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4604-64-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4604-51-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4604-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4604-66-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4896-61-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4896-55-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4896-63-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4896-201-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/5004-75-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/5004-77-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/5004-69-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/5004-208-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/5076-53-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/5076-1-0x00000000009C0000-0x0000000000A27000-memory.dmp

Filesize
412KB

Download
memory/5076-7-0x00000000009C0000-0x0000000000A27000-memory.dmp

Filesize
412KB

Download
memory/5076-0-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/5076-38-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/5076-6-0x00000000009C0000-0x0000000000A27000-memory.dmp

Filesize
412KB

Download