211afc5c9be3d9df647f1dafcfddf8888692014add4eb852b20d61db516cf941

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 06:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8ea6821295efbeed9ae3ec8d8f40eba0_NeikiAnalytics.exe
Size

3.1MB
MD5

8ea6821295efbeed9ae3ec8d8f40eba0
SHA1

f22defa1352f8a9c0cfff4dc6f4737dda9cf2f7e
SHA256

211afc5c9be3d9df647f1dafcfddf8888692014add4eb852b20d61db516cf941
SHA512

ab4284f501c3d3cd386335cb80fd0ddf4a0a6583238e6792d2ad4e68f16a57fe6628d0969ad690f2cd8a61c0a74629eaca6cc515c6a0be9052d87cc587e1f8e0
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBuB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpFbVz8eLFc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	8ea6821295efbeed9ae3ec8d8f40eba0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2636	ecdevbod.exe
2780	xdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
1772	8ea6821295efbeed9ae3ec8d8f40eba0_NeikiAnalytics.exe
1772	8ea6821295efbeed9ae3ec8d8f40eba0_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files8Y\\xdobec.exe"	8ea6821295efbeed9ae3ec8d8f40eba0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ53\\optiaec.exe"	8ea6821295efbeed9ae3ec8d8f40eba0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1772	8ea6821295efbeed9ae3ec8d8f40eba0_NeikiAnalytics.exe
1772	8ea6821295efbeed9ae3ec8d8f40eba0_NeikiAnalytics.exe
2636	ecdevbod.exe
2780	xdobec.exe
2636	ecdevbod.exe
2780	xdobec.exe
2636	ecdevbod.exe
2780	xdobec.exe
2636	ecdevbod.exe
2780	xdobec.exe
2636	ecdevbod.exe
2780	xdobec.exe
2636	ecdevbod.exe
2780	xdobec.exe
2636	ecdevbod.exe
2780	xdobec.exe
2636	ecdevbod.exe
2780	xdobec.exe
2636	ecdevbod.exe
2780	xdobec.exe
2636	ecdevbod.exe
2780	xdobec.exe
2636	ecdevbod.exe
2780	xdobec.exe
2636	ecdevbod.exe
2780	xdobec.exe
2636	ecdevbod.exe
2780	xdobec.exe
2636	ecdevbod.exe
2780	xdobec.exe
2636	ecdevbod.exe
2780	xdobec.exe
2636	ecdevbod.exe
2780	xdobec.exe
2636	ecdevbod.exe
2780	xdobec.exe
2636	ecdevbod.exe
2780	xdobec.exe
2636	ecdevbod.exe
2780	xdobec.exe
2636	ecdevbod.exe
2780	xdobec.exe
2636	ecdevbod.exe
2780	xdobec.exe
2636	ecdevbod.exe
2780	xdobec.exe
2636	ecdevbod.exe
2780	xdobec.exe
2636	ecdevbod.exe
2780	xdobec.exe
2636	ecdevbod.exe
2780	xdobec.exe
2636	ecdevbod.exe
2780	xdobec.exe
2636	ecdevbod.exe
2780	xdobec.exe
2636	ecdevbod.exe
2780	xdobec.exe
2636	ecdevbod.exe
2780	xdobec.exe
2636	ecdevbod.exe
2780	xdobec.exe
2636	ecdevbod.exe
2780	xdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 2636	1772	8ea6821295efbeed9ae3ec8d8f40eba0_NeikiAnalytics.exe	28
PID 1772 wrote to memory of 2636	1772	8ea6821295efbeed9ae3ec8d8f40eba0_NeikiAnalytics.exe	28
PID 1772 wrote to memory of 2636	1772	8ea6821295efbeed9ae3ec8d8f40eba0_NeikiAnalytics.exe	28
PID 1772 wrote to memory of 2636	1772	8ea6821295efbeed9ae3ec8d8f40eba0_NeikiAnalytics.exe	28
PID 1772 wrote to memory of 2780	1772	8ea6821295efbeed9ae3ec8d8f40eba0_NeikiAnalytics.exe	29
PID 1772 wrote to memory of 2780	1772	8ea6821295efbeed9ae3ec8d8f40eba0_NeikiAnalytics.exe	29
PID 1772 wrote to memory of 2780	1772	8ea6821295efbeed9ae3ec8d8f40eba0_NeikiAnalytics.exe	29
PID 1772 wrote to memory of 2780	1772	8ea6821295efbeed9ae3ec8d8f40eba0_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\8ea6821295efbeed9ae3ec8d8f40eba0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8ea6821295efbeed9ae3ec8d8f40eba0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2636
- C:\Files8Y\xdobec.exe
  C:\Files8Y\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files8Y\xdobec.exe

Filesize
3.1MB

MD5
9a75ec5bfe366dcaa05517298f761ea8

SHA1
637b7a742b62ef79bf7f4ab5bb783555c185c116

SHA256
75a7ae147481d8b3cc518d38b78443b08cd1139fcddf70ff15f5344df0091d9c

SHA512
2526a77cdf169cdbfafbb953ec2a20f3a5c5a12e6aae44b57144b2be2bf3d808f9280584a775ab321b1420f0fa4dc97585c6f854999af4296c000182f1917aae

Download Submit
C:\LabZ53\optiaec.exe

Filesize
3.1MB

MD5
7bbf3e9bc611274dc067348962fbea80

SHA1
4e250f2e20e511eb4223d270d9a1040dfea47766

SHA256
05bf2e643c897e3a37d6c1c551b14334788eb4286b71522ca737bdee9252a180

SHA512
d2cb52e235f5f54f2456ed43d3c9da241a7ebd85535ce34edaa4fb78f489c0183823a13bad5d31a1f18003257db6abb51dc087f83f64ddc149c3ae4e52deac68

Download Submit
C:\LabZ53\optiaec.exe

Filesize
3.1MB

MD5
8e4eb776c0484a0fb522f09db571534e

SHA1
6e60cd456fd331cb555a63ba6a6b9ff25eebc856

SHA256
281fd2c147a31f49dad91c31d800ec8d184d74a2146b94aba5511a539b10a904

SHA512
b33510f2e672d16a22ccd35f5f040f9ebb15effb4599264f62d89dc6f02704097ae948f07835fb2e333f7f3f52b5bbdcbd4d6ba6a94e94846fe11fd4aa469988

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
3ca8218462c0c912ae04c10ed571f8c0

SHA1
cfaf84ae994a08e1207eefbe1cdcfc7c0cac933e

SHA256
4846acb2d2ffb337932dba4e48c553b4a8d445799bac78e35afe51c3fe55ad30

SHA512
8d2a0b6b05398878e51fab9b560f8d790386969dfde302772abbe4134be4e5d696684ebd26bb84d1fa26cdd2a6f990a916dc359b27a4c6d91f7495f494cfed70

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
25c19b5bfb7c4e6dff15343f7ec55325

SHA1
0a969e83136362eca5ed6f0af0a21bc23ddc695c

SHA256
ec64ec3d7d47c55decd7bb6b159ecfc66e97b5c40328464676b40310742d8e07

SHA512
a414dbd26558beacbf8df7e5d4b196d142a6e7bbac338bc24dd3a49f90bade1dbd7f54fe236a186e4760f553bb204c17eed43ce130e1af69ae0b8169fc3cfa4f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
3.1MB

MD5
84a5fcc6abf12cdf92f182477ecec763

SHA1
06accb9aaf3d7bc5ecaf2c73e90597809d8cb87b

SHA256
b39ba323ca5befa174b22355cae6057ea8cf360a7847458bb241a6d734d5e17e

SHA512
8a4d41de6a849b48a04bb1be440555898408df7bb7154d3df096b21ead1d8d6f0a94b7e24780ee3bf3f6875ca51f903bfa9288098859db5dac1e1f35f4a1e8c1

Download Submit