083019fba5b9df4c54b994cd2daafa96968431d2a08e70adf33a49327c7d24e8

Analysis

max time kernel
149s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4458ca80390dcd98cf2d1c7a309a44e0_NeikiAnalytics.exe
Size

3.2MB
MD5

4458ca80390dcd98cf2d1c7a309a44e0
SHA1

2dff43ef0f1f296f67ec01035b8953b454114559
SHA256

083019fba5b9df4c54b994cd2daafa96968431d2a08e70adf33a49327c7d24e8
SHA512

21ce24bfb19a73c3249aaedff9cda9c39a322eacf88259e088697697e15d0f307b2055c20370d253400c9da84a61c512b27bb16b6e34a91bc714f5a050e72986
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBVB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpebVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe	4458ca80390dcd98cf2d1c7a309a44e0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
816	ecxbod.exe
2664	devoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesIB\\devoptiec.exe"	4458ca80390dcd98cf2d1c7a309a44e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxBJ\\bodxec.exe"	4458ca80390dcd98cf2d1c7a309a44e0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1864	4458ca80390dcd98cf2d1c7a309a44e0_NeikiAnalytics.exe
1864	4458ca80390dcd98cf2d1c7a309a44e0_NeikiAnalytics.exe
1864	4458ca80390dcd98cf2d1c7a309a44e0_NeikiAnalytics.exe
1864	4458ca80390dcd98cf2d1c7a309a44e0_NeikiAnalytics.exe
816	ecxbod.exe
816	ecxbod.exe
2664	devoptiec.exe
2664	devoptiec.exe
816	ecxbod.exe
816	ecxbod.exe
2664	devoptiec.exe
2664	devoptiec.exe
816	ecxbod.exe
816	ecxbod.exe
2664	devoptiec.exe
2664	devoptiec.exe
816	ecxbod.exe
816	ecxbod.exe
2664	devoptiec.exe
2664	devoptiec.exe
816	ecxbod.exe
816	ecxbod.exe
2664	devoptiec.exe
2664	devoptiec.exe
816	ecxbod.exe
816	ecxbod.exe
2664	devoptiec.exe
2664	devoptiec.exe
816	ecxbod.exe
816	ecxbod.exe
2664	devoptiec.exe
2664	devoptiec.exe
816	ecxbod.exe
816	ecxbod.exe
2664	devoptiec.exe
2664	devoptiec.exe
816	ecxbod.exe
816	ecxbod.exe
2664	devoptiec.exe
2664	devoptiec.exe
816	ecxbod.exe
816	ecxbod.exe
2664	devoptiec.exe
2664	devoptiec.exe
816	ecxbod.exe
816	ecxbod.exe
2664	devoptiec.exe
2664	devoptiec.exe
816	ecxbod.exe
816	ecxbod.exe
2664	devoptiec.exe
2664	devoptiec.exe
816	ecxbod.exe
816	ecxbod.exe
2664	devoptiec.exe
2664	devoptiec.exe
816	ecxbod.exe
816	ecxbod.exe
2664	devoptiec.exe
2664	devoptiec.exe
816	ecxbod.exe
816	ecxbod.exe
2664	devoptiec.exe
2664	devoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 816	1864	4458ca80390dcd98cf2d1c7a309a44e0_NeikiAnalytics.exe	86
PID 1864 wrote to memory of 816	1864	4458ca80390dcd98cf2d1c7a309a44e0_NeikiAnalytics.exe	86
PID 1864 wrote to memory of 816	1864	4458ca80390dcd98cf2d1c7a309a44e0_NeikiAnalytics.exe	86
PID 1864 wrote to memory of 2664	1864	4458ca80390dcd98cf2d1c7a309a44e0_NeikiAnalytics.exe	87
PID 1864 wrote to memory of 2664	1864	4458ca80390dcd98cf2d1c7a309a44e0_NeikiAnalytics.exe	87
PID 1864 wrote to memory of 2664	1864	4458ca80390dcd98cf2d1c7a309a44e0_NeikiAnalytics.exe	87

C:\Users\Admin\AppData\Local\Temp\4458ca80390dcd98cf2d1c7a309a44e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4458ca80390dcd98cf2d1c7a309a44e0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:816
- C:\FilesIB\devoptiec.exe
  C:\FilesIB\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesIB\devoptiec.exe

Filesize
3.2MB

MD5
a198ddde13b2f9f07fa2688c7db7265a

SHA1
717dda80db22d9aa6a4d47a9a85300e9b134e0d4

SHA256
ff3a518c4992a0c45d02629d76c98ddf20df6cbbcec85cd3dbd819a9a0c34424

SHA512
3de138c6cfa8deed0510e848206aaef7f8bc601c37a5970c3b112075570bc19b0bbeead58cae944b5fa733b1aa177629e78957be36760f9a2a4fabe0c1bc8448

Download Submit
C:\GalaxBJ\bodxec.exe

Filesize
1.8MB

MD5
a11f76255b9ca6234bfd6aa66474643d

SHA1
e3cc3fe2e8e1a624e3288e828320a33d91a8d733

SHA256
2a97025511d98dd7e5dd0d7449ac38752616c9d970792c41fea246edadffc1d6

SHA512
5b3ad563c733fb5554189481e067a3fcec5460f763afe6445d5eb45bde640f5543a6c59de55edeb77e6711b5792e8c3ee8001ab9a7d7f8f8fcdcc56932530c56

Download Submit
C:\GalaxBJ\bodxec.exe

Filesize
3.2MB

MD5
7fe34ad6e063b3d10fd8d5ef8a04706d

SHA1
f46e4ccabab66039170c231b2cea4a434b3a435d

SHA256
51000d9a86363c1627a373c24fba3f6a71f177d660d71a1aff17436a77096786

SHA512
7de750dc2bb1c56f59fa07381d5dcaf9e2e1a6bee800be553d7b35d2ed4d9e2279bd03c60975db8407bcb6ac82ee7c47e5774970b1e6adbf129fea771f509d67

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
cbb9d4fcdcd9e7daa0cf5938b8c6e537

SHA1
e1ba6a727c59e1f32066778ee9cf5bb351188cbe

SHA256
9e38bace6bf35bb13eb39dcafb0884d725223596da04f6f381dcbee69fbee1ed

SHA512
2dbdb19bf30ec5c7026c2fd26abae244151faa183b428699ccd4f0a60bc27b39756c70b0db0d5f9cd3ddc9960b404dca1068b221129e4c412f16176668f3a63a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
380321562fe0aa4354ed258a60c1fab3

SHA1
328e631f53205a9e49beb7966a6c7a2c8a38a87e

SHA256
4b6e28acfd01ce5ffdff18210f718b61f5653aaba2e49b094fce1964f1224234

SHA512
4cf7de2516f33fcbfcf85d26f2aebdae156d3fc2a7b347e409a39ac73e2506bab352300722700ebc560c674dd7260cfe0b5a8089d62432773962a31b70ca449c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

Filesize
3.2MB

MD5
db1efaf23a081ade48c590e418f6628a

SHA1
e92f4abba65c3465d1ef0119aab484de54ead298

SHA256
cdd1c3183b1e41f89443f2d0edbf4e63d1263577fd3f6d03e33bc41cc1cf17fc

SHA512
650457bf2c127771fb90ef45ccda0f9cacf0b50bc3ad19324b27e435b79ae9cde2a2267b0018d2f328733b537288f444f77331ac51c0c1257aef2190ec82eb4a

Download Submit