a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589

Analysis

max time kernel
149s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589_NeikiAnalytics.exe
Size

3.6MB
MD5

c99a41aad6eea5c335b3aca6f2043bd0
SHA1

adc73cdd61b451224c539816ac3fc6c83a948234
SHA256

a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589
SHA512

ef5e853d715c53dc9a4f40597c40bbc20bc81d71ec2b778afb56b67a244274a0f2d7821dd4dd5a16016e2ae6361a4055100032a80d7b28410cf7ee7e529580af
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp/bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2524	locadob.exe
3412	xdobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBQL\\optialoc.exe"	a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocJL\\xdobsys.exe"	a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5072	a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589_NeikiAnalytics.exe
5072	a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589_NeikiAnalytics.exe
5072	a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589_NeikiAnalytics.exe
5072	a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589_NeikiAnalytics.exe
2524	locadob.exe
2524	locadob.exe
3412	xdobsys.exe
3412	xdobsys.exe
2524	locadob.exe
2524	locadob.exe
3412	xdobsys.exe
3412	xdobsys.exe
2524	locadob.exe
2524	locadob.exe
3412	xdobsys.exe
3412	xdobsys.exe
2524	locadob.exe
2524	locadob.exe
3412	xdobsys.exe
3412	xdobsys.exe
2524	locadob.exe
2524	locadob.exe
3412	xdobsys.exe
3412	xdobsys.exe
2524	locadob.exe
2524	locadob.exe
3412	xdobsys.exe
3412	xdobsys.exe
2524	locadob.exe
2524	locadob.exe
3412	xdobsys.exe
3412	xdobsys.exe
2524	locadob.exe
2524	locadob.exe
3412	xdobsys.exe
3412	xdobsys.exe
2524	locadob.exe
2524	locadob.exe
3412	xdobsys.exe
3412	xdobsys.exe
2524	locadob.exe
2524	locadob.exe
3412	xdobsys.exe
3412	xdobsys.exe
2524	locadob.exe
2524	locadob.exe
3412	xdobsys.exe
3412	xdobsys.exe
2524	locadob.exe
2524	locadob.exe
3412	xdobsys.exe
3412	xdobsys.exe
2524	locadob.exe
2524	locadob.exe
3412	xdobsys.exe
3412	xdobsys.exe
2524	locadob.exe
2524	locadob.exe
3412	xdobsys.exe
3412	xdobsys.exe
2524	locadob.exe
2524	locadob.exe
3412	xdobsys.exe
3412	xdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 2524	5072	a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589_NeikiAnalytics.exe	96
PID 5072 wrote to memory of 2524	5072	a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589_NeikiAnalytics.exe	96
PID 5072 wrote to memory of 2524	5072	a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589_NeikiAnalytics.exe	96
PID 5072 wrote to memory of 3412	5072	a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589_NeikiAnalytics.exe	97
PID 5072 wrote to memory of 3412	5072	a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589_NeikiAnalytics.exe	97
PID 5072 wrote to memory of 3412	5072	a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589_NeikiAnalytics.exe	97

C:\Users\Admin\AppData\Local\Temp\a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2524
- C:\IntelprocJL\xdobsys.exe
  C:\IntelprocJL\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4128,i,2029050989380753659,15333598055019363793,262144 --variations-seed-version --mojo-platform-channel-handle=4136 /prefetch:8
1⤵
PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocJL\xdobsys.exe

Filesize
1KB

MD5
81306907a8898717e74eee7fe3ec9748

SHA1
6871f1f920d712de6120473f387e1497841b3829

SHA256
1b17bb743b1a2dfc12895dffa0a7b9b5daf090d66b71008fe29879bad1786322

SHA512
205b7de43c582a32ad49cb599becf76511d0269af1df1adea82987826d020f7e62e8b53e8f82da5c2f44154cdac459eaa4fb29ea6b720b0cf9d5e5148fb62730

Download Submit
C:\IntelprocJL\xdobsys.exe

Filesize
3.6MB

MD5
5419bc52e823da7e4343d353d5202c71

SHA1
8dd1f5af087b5e8b7d282be69d793bd429ae0cb4

SHA256
a945bf82dd52699d31cf191010e44f0d760245b288a38c2e2171ef3ebfa684bc

SHA512
f1e3b3674d987ae09b16addeee6f39c67e2b34ca9cc3c82078e4e09cf9a5c441403f6d700d2d17740c9b44dc46706f48ea453068d9c5a7eae59f4f4a3d99371f

Download Submit
C:\KaVBQL\optialoc.exe

Filesize
3.6MB

MD5
ae0a546753c10ab20b486fa4e0e4e084

SHA1
30f11b2dfba8db0044b2bf6eff1c4dd470ed639a

SHA256
31416232ea1a44b4431f30476a6b6fddc4a8e125b887290ef71b9a777d020c9a

SHA512
939532954988a5309bf66c1956bf0376ba061dbfda3ae1330d8ee273eb59672f4ec59bb59b2ee16142afe710326fda54cc2307cd325b8e57144f955fab16be05

Download Submit
C:\KaVBQL\optialoc.exe

Filesize
775KB

MD5
e1993c444fded0a4fb05ff0cb2cefb78

SHA1
21fd9710197e6af710c7fc495ac97b92c3e46c33

SHA256
9d629ed34f6ca1812976e8dae1a2a4de5391a03def555097bb361cdb63833a80

SHA512
91fa99819f59c093ced52aa030dd1ac1a62226150d24b2dd4ca9d63431f48f55cb1c15d1bbec425f4f759cb281638fb2d7cb54a6264b1e4a7513dcc3ce988981

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
ec030cdb67cb79ba2349fc1c110be892

SHA1
0457d870de28ce7d8afb655fa172295a4ac55198

SHA256
2f1bdc4f28833fa814f67f7e8af1daebbaabddcb1f4d5ed8c222b2b96a8dcd7a

SHA512
becd9aef1843fba96d40096dd95cdd749a6471cf430f1364ccb2c69af9d63727a0604f45c62b86e3a9f4ce577d35dec2b7f5dc1578ab061ad8295c4ed3e384d8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
5cd199476c69945f5af0c2af581ab689

SHA1
92c5c0833ac0a8616d63da110c39832d84c21c87

SHA256
5e65c88e06f43326ed8388867f25b9cd52ead4561be33f398c888b84f64d74c7

SHA512
9e3c55ec0d5c79c74b61d33066b09efb0f4dd4b3de7e365b5785f90e4a8bec23a0bf4e8dc47ae47e1a74a7bc4c0d870f52caae6e693c8f2fa98580f6eb0db66d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
3.6MB

MD5
6b0695e2d1e75d1113e65e6a75c64a3c

SHA1
c4ddecb52d428cb9a41d0572d3551a2145b6ca50

SHA256
3a0dd54cc87c0ae67f80a3f43049ca9905dcc709deeda3ad46fbd16a009ca4a5

SHA512
425e58eeba1805524906a0c14971658a1c66651561813eeaf720a1fc27f2cd04e36c20f3e725169945350ee4cf3c21e7d6f238cdd866f9ab55b2f61fde3f084c

Download Submit