7309de65f8a90f0247e82dd3fad354202897ac6cfcb8ff42f26bb56d9fb42703

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afc37cfaa3a3ac5d8ed5ecaed32846c0_NeikiAnalytics.exe
Size

2.6MB
MD5

afc37cfaa3a3ac5d8ed5ecaed32846c0
SHA1

15eb7cbe991a6a33a87200b031fe011af5ee77c0
SHA256

7309de65f8a90f0247e82dd3fad354202897ac6cfcb8ff42f26bb56d9fb42703
SHA512

77ae33a9f98d617defbce8b66afb154199e8fb5851b148f597ba6e75cb0d25fa297035e263989cd268d5758f2e39d59e53323749f74b140dcc443699b59c94cb
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bS:sxX7QnxrloE5dpUpHb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	afc37cfaa3a3ac5d8ed5ecaed32846c0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
5084	ecdevopti.exe
2304	xdobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocW2\\xdobsys.exe"	afc37cfaa3a3ac5d8ed5ecaed32846c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint3D\\optidevloc.exe"	afc37cfaa3a3ac5d8ed5ecaed32846c0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3180	afc37cfaa3a3ac5d8ed5ecaed32846c0_NeikiAnalytics.exe
3180	afc37cfaa3a3ac5d8ed5ecaed32846c0_NeikiAnalytics.exe
3180	afc37cfaa3a3ac5d8ed5ecaed32846c0_NeikiAnalytics.exe
3180	afc37cfaa3a3ac5d8ed5ecaed32846c0_NeikiAnalytics.exe
5084	ecdevopti.exe
5084	ecdevopti.exe
2304	xdobsys.exe
2304	xdobsys.exe
5084	ecdevopti.exe
5084	ecdevopti.exe
2304	xdobsys.exe
2304	xdobsys.exe
5084	ecdevopti.exe
5084	ecdevopti.exe
2304	xdobsys.exe
2304	xdobsys.exe
5084	ecdevopti.exe
5084	ecdevopti.exe
2304	xdobsys.exe
2304	xdobsys.exe
5084	ecdevopti.exe
5084	ecdevopti.exe
2304	xdobsys.exe
2304	xdobsys.exe
5084	ecdevopti.exe
5084	ecdevopti.exe
2304	xdobsys.exe
2304	xdobsys.exe
5084	ecdevopti.exe
5084	ecdevopti.exe
2304	xdobsys.exe
2304	xdobsys.exe
5084	ecdevopti.exe
5084	ecdevopti.exe
2304	xdobsys.exe
2304	xdobsys.exe
5084	ecdevopti.exe
5084	ecdevopti.exe
2304	xdobsys.exe
2304	xdobsys.exe
5084	ecdevopti.exe
5084	ecdevopti.exe
2304	xdobsys.exe
2304	xdobsys.exe
5084	ecdevopti.exe
5084	ecdevopti.exe
2304	xdobsys.exe
2304	xdobsys.exe
5084	ecdevopti.exe
5084	ecdevopti.exe
2304	xdobsys.exe
2304	xdobsys.exe
5084	ecdevopti.exe
5084	ecdevopti.exe
2304	xdobsys.exe
2304	xdobsys.exe
5084	ecdevopti.exe
5084	ecdevopti.exe
2304	xdobsys.exe
2304	xdobsys.exe
5084	ecdevopti.exe
5084	ecdevopti.exe
2304	xdobsys.exe
2304	xdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 5084	3180	afc37cfaa3a3ac5d8ed5ecaed32846c0_NeikiAnalytics.exe	85
PID 3180 wrote to memory of 5084	3180	afc37cfaa3a3ac5d8ed5ecaed32846c0_NeikiAnalytics.exe	85
PID 3180 wrote to memory of 5084	3180	afc37cfaa3a3ac5d8ed5ecaed32846c0_NeikiAnalytics.exe	85
PID 3180 wrote to memory of 2304	3180	afc37cfaa3a3ac5d8ed5ecaed32846c0_NeikiAnalytics.exe	86
PID 3180 wrote to memory of 2304	3180	afc37cfaa3a3ac5d8ed5ecaed32846c0_NeikiAnalytics.exe	86
PID 3180 wrote to memory of 2304	3180	afc37cfaa3a3ac5d8ed5ecaed32846c0_NeikiAnalytics.exe	86

C:\Users\Admin\AppData\Local\Temp\afc37cfaa3a3ac5d8ed5ecaed32846c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\afc37cfaa3a3ac5d8ed5ecaed32846c0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5084
- C:\IntelprocW2\xdobsys.exe
  C:\IntelprocW2\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocW2\xdobsys.exe

Filesize
2.6MB

MD5
1f14fd0e6660d6f1c92ba98d5c5171f3

SHA1
1b39ca337f5c406e493c1c98fdd5c4a14d56ba99

SHA256
6ed8eb716bf202fb5b92e9ca916d3f2a31dea25b1e0b721bd37ce2fe55556be4

SHA512
eaf3d175ab92b3becc7ff9ccf3bb7b58b68ac1c7d5aa5923ed34bd3c1d2ea354d9112c73cd4d9e6c2bdf0d70ee77d01f89f6e45a3dfb3e492012aec1d6ebec22

Download Submit
C:\Mint3D\optidevloc.exe

Filesize
2.6MB

MD5
465e69469b8abcfa07dc9e52ef742c26

SHA1
73c4bcbd13ae7332c16aef96e067b6fb500a5fe5

SHA256
d50b38605a87cae88be0cc4ea19adf858175bf6d2361281df493d73891109e92

SHA512
1ef46cf5b5991591c82b95d4f2d7ef0dcbbffbce886a6217d3eb68a6ccdf1abc1a7c263b57cb1ca39fa670aa47f30f7afb47af23f0e7faee2f83190bc77736b8

Download Submit
C:\Mint3D\optidevloc.exe

Filesize
2.6MB

MD5
d72205eec09accd35de8bcdcae1abd6d

SHA1
19d07150b59a8b9d36718c5fb32a905a4247422f

SHA256
15e1b7fcf2a3b7ecb08d6e4b4ad10a4a10dca4559689194d679157c6e60c0d69

SHA512
2adf52baf6e079a6e33c0a47e1f032fc362a4f7aa9feeb8296911035efabf995cdf4d9f67c505bdd4526e1d6cd3c1533a7d3fa2493a322dc80552df749a99908

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
209B

MD5
49910973475a7b8575a19e66f4c1efa2

SHA1
b75d0b33db38c8325469bf89abe6fce0b6f414c2

SHA256
52d5a71ceccc2de8ec095ca7c58ced2cfa0c21c7358c4ddeaebbfae33b1b15ae

SHA512
6b95890cf53a523f5e6e059bca00a7cfdcd7f792cd6aca475366bdb336a6214e0089f18ed7d76ab648314b9c29c58fed9bed053c636fb7da52ab7ef8fcbd1f64

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
177B

MD5
20620c1b7e44d57067aa3592daf4f27a

SHA1
dec953e567b593df93bcdff19249ef7a95707209

SHA256
24ffb733666061132d58507f092f5a9aff907d72aafb9b3ea02747c13af914a2

SHA512
12a8e52482310ee605d5e9310ff79a48694d35011533b1d3c607d6267c6f21013f942356fcaf0465f5a7a4bc5359a0843f63d29af7d37b055c71c1d0f749d3d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
2.6MB

MD5
bed4281b27d2e5bf8726889685729831

SHA1
fc7a4cfe9ef62fb66e06f88e77391f7069679cf8

SHA256
29c0d44c0ddf1b7a93cba223fa31ffdccba3dd46010a6b59e5fbe430c8990a4e

SHA512
ba081551d79fd1c9f029ccbf7727268dcac3703cea0f909fa573e87b7806ed5bffe4494e63dd9111569055850f61d9f395af4c2ec4586f400654a23b73e3de53

Download Submit