8430bbb01decbfffad41e6a785aa5fd69b6374e65edfaa9c13360b68a22ad053

Analysis

max time kernel
150s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

000ae7abf052ff1f57d4cf71f49c728d_NeikiAnalytics.exe
Size

3.2MB
MD5

000ae7abf052ff1f57d4cf71f49c728d
SHA1

a0175daf9f82d87af0173652fad44fa6048b89dc
SHA256

8430bbb01decbfffad41e6a785aa5fd69b6374e65edfaa9c13360b68a22ad053
SHA512

b5fc104c3e9f4a82f73186639325028e48eb21dbf1a647b5e916911631f071b2d2340cb3cfd040d5711fa4eb1abc58cd28b49b91879a3f7f55abe1f99ecd5a2f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpAbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	000ae7abf052ff1f57d4cf71f49c728d_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4844	ecdevdob.exe
1304	xdobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotQW\\xdobsys.exe"	000ae7abf052ff1f57d4cf71f49c728d_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBVD\\optialoc.exe"	000ae7abf052ff1f57d4cf71f49c728d_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4240	000ae7abf052ff1f57d4cf71f49c728d_NeikiAnalytics.exe
4240	000ae7abf052ff1f57d4cf71f49c728d_NeikiAnalytics.exe
4240	000ae7abf052ff1f57d4cf71f49c728d_NeikiAnalytics.exe
4240	000ae7abf052ff1f57d4cf71f49c728d_NeikiAnalytics.exe
4844	ecdevdob.exe
4844	ecdevdob.exe
1304	xdobsys.exe
1304	xdobsys.exe
4844	ecdevdob.exe
4844	ecdevdob.exe
1304	xdobsys.exe
1304	xdobsys.exe
4844	ecdevdob.exe
4844	ecdevdob.exe
1304	xdobsys.exe
1304	xdobsys.exe
4844	ecdevdob.exe
4844	ecdevdob.exe
1304	xdobsys.exe
1304	xdobsys.exe
4844	ecdevdob.exe
4844	ecdevdob.exe
1304	xdobsys.exe
1304	xdobsys.exe
4844	ecdevdob.exe
4844	ecdevdob.exe
1304	xdobsys.exe
1304	xdobsys.exe
4844	ecdevdob.exe
4844	ecdevdob.exe
1304	xdobsys.exe
1304	xdobsys.exe
4844	ecdevdob.exe
4844	ecdevdob.exe
1304	xdobsys.exe
1304	xdobsys.exe
4844	ecdevdob.exe
4844	ecdevdob.exe
1304	xdobsys.exe
1304	xdobsys.exe
4844	ecdevdob.exe
4844	ecdevdob.exe
1304	xdobsys.exe
1304	xdobsys.exe
4844	ecdevdob.exe
4844	ecdevdob.exe
1304	xdobsys.exe
1304	xdobsys.exe
4844	ecdevdob.exe
4844	ecdevdob.exe
1304	xdobsys.exe
1304	xdobsys.exe
4844	ecdevdob.exe
4844	ecdevdob.exe
1304	xdobsys.exe
1304	xdobsys.exe
4844	ecdevdob.exe
4844	ecdevdob.exe
1304	xdobsys.exe
1304	xdobsys.exe
4844	ecdevdob.exe
4844	ecdevdob.exe
1304	xdobsys.exe
1304	xdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 4844	4240	000ae7abf052ff1f57d4cf71f49c728d_NeikiAnalytics.exe	87
PID 4240 wrote to memory of 4844	4240	000ae7abf052ff1f57d4cf71f49c728d_NeikiAnalytics.exe	87
PID 4240 wrote to memory of 4844	4240	000ae7abf052ff1f57d4cf71f49c728d_NeikiAnalytics.exe	87
PID 4240 wrote to memory of 1304	4240	000ae7abf052ff1f57d4cf71f49c728d_NeikiAnalytics.exe	89
PID 4240 wrote to memory of 1304	4240	000ae7abf052ff1f57d4cf71f49c728d_NeikiAnalytics.exe	89
PID 4240 wrote to memory of 1304	4240	000ae7abf052ff1f57d4cf71f49c728d_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\000ae7abf052ff1f57d4cf71f49c728d_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\000ae7abf052ff1f57d4cf71f49c728d_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4844
- C:\UserDotQW\xdobsys.exe
  C:\UserDotQW\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBVD\optialoc.exe

Filesize
3.2MB

MD5
448279e1a30eaada88128157f59a5f1c

SHA1
673b2454e56029d8c2f4d3f90003cdabd09659db

SHA256
d2824fda8222ac3214cb0085c9160f9bc17a51b11a4f23076661f29d197702b8

SHA512
0df7c94b1cd9a51852f9cc6ea5d54cee5175b64ed54f5363f79cd4d227aa82e9d486343f949e0a2489b95e3c56a4fb7203f6b47bd3b06cf2135f5a5f7ec35961

Download Submit
C:\KaVBVD\optialoc.exe

Filesize
1.4MB

MD5
76f2b94e830a44645a3dc588452935bc

SHA1
26d0af0b2a266fdada5f658075ebf83fde34fc8a

SHA256
7d7963cc2f005a865e0a7e56709922f4267ff5455fbca53484e9a3d40ba82ff6

SHA512
c298bf0f6f69b4b9c801e29577a7455090767e78868196d206f2428b4746c463bb2b8bd8da92411a7ec06306cc630b30f69f698429ffa9542c7ed8f0a140a5c9

Download Submit
C:\UserDotQW\xdobsys.exe

Filesize
3.2MB

MD5
65e7f0250fe81cf86de73c70cfc7c956

SHA1
b655288acb43b549a13dad8fb276248a5397b1db

SHA256
b02991e4450aced5dba18383b5588810032fe901f59b2cbbf66edab8375d037b

SHA512
4400c4d092aa30a6371b6b3cbb3621eae0c3f5c68d194f0cd830d70480213c79a309448ef9544e344262d88142827d6f2f2bad91086eed7508e5fe10e1d4f7fb

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
a77c2246433912f9bcb845157428606a

SHA1
2c23bae648dee219f18eaf5f3c50eab7c0d5ae11

SHA256
391201f737f1d60bee86100accb0259ab45a33e0aaba3f54e43fc93df464f37f

SHA512
f83cc763fea61cce2b4b3c523cabee583c357cd17702961755fc00e6696f8d2e7b66d8325eae8077ad40260a8a738af2678e03767105ec51b30b736761fdef64

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
4d7452318983930a433135b9d752260b

SHA1
c2b992632b2beb71cec994fdf6835d1a471322e8

SHA256
a907a538d9aaaf5fa1c6ca8053703fb3194bc058376cb62b5c628c8ffd50f853

SHA512
b152aa4b2425fef1d2eddb59e4f6b5d68f2944c9bd9eee7d2a1994936c962d912dba9e9decb1ec7cbee9c64e4c6dfb932f7803300ecd751d7065f659a8eafadf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
3.2MB

MD5
d50db717f8f7842a96e9b1c7aabf00f1

SHA1
7e134968078e85afd3321af55ee540e8616a3103

SHA256
8b3f45adf995197d7ddae6514195b4bea50e84ea6ec67c600b8138c8bb6dd6d1

SHA512
3011d6d830bd6f004bb5adcfb944582a22c040ac670d46f8d5573df0e67bc69b94fe5f7ad7d211e0de16d9ccd29a18dc4fe66818c8735e1429789de650758a11

Download Submit