510dc6d610296398a56d76b4c833e14d3d1894919fccbf21358f364c2f8b9ca8

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 16:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

050cd2195fd6d016d12fb80b11a0d190_NeikiAnalytics.exe
Size

3.0MB
MD5

050cd2195fd6d016d12fb80b11a0d190
SHA1

315220b545a6cb47f42760ceebb60191f172d57f
SHA256

510dc6d610296398a56d76b4c833e14d3d1894919fccbf21358f364c2f8b9ca8
SHA512

9e86cf35761008f4f427cc9ac18e58314f4b3bbed572db335dd93ab71bf1e3983a7fa9f3b90adf969d7087120c54a08651f1d946f966e3fb40c023394e748a76
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bSqz8b6LNX:sxX7QnxrloE5dpUpfbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	050cd2195fd6d016d12fb80b11a0d190_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1740	ecxdob.exe
3032	devdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2132	050cd2195fd6d016d12fb80b11a0d190_NeikiAnalytics.exe
2132	050cd2195fd6d016d12fb80b11a0d190_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc1O\\devdobec.exe"	050cd2195fd6d016d12fb80b11a0d190_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZRL\\optidevsys.exe"	050cd2195fd6d016d12fb80b11a0d190_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2132	050cd2195fd6d016d12fb80b11a0d190_NeikiAnalytics.exe
2132	050cd2195fd6d016d12fb80b11a0d190_NeikiAnalytics.exe
1740	ecxdob.exe
3032	devdobec.exe
1740	ecxdob.exe
3032	devdobec.exe
1740	ecxdob.exe
3032	devdobec.exe
1740	ecxdob.exe
3032	devdobec.exe
1740	ecxdob.exe
3032	devdobec.exe
1740	ecxdob.exe
3032	devdobec.exe
1740	ecxdob.exe
3032	devdobec.exe
1740	ecxdob.exe
3032	devdobec.exe
1740	ecxdob.exe
3032	devdobec.exe
1740	ecxdob.exe
3032	devdobec.exe
1740	ecxdob.exe
3032	devdobec.exe
1740	ecxdob.exe
3032	devdobec.exe
1740	ecxdob.exe
3032	devdobec.exe
1740	ecxdob.exe
3032	devdobec.exe
1740	ecxdob.exe
3032	devdobec.exe
1740	ecxdob.exe
3032	devdobec.exe
1740	ecxdob.exe
3032	devdobec.exe
1740	ecxdob.exe
3032	devdobec.exe
1740	ecxdob.exe
3032	devdobec.exe
1740	ecxdob.exe
3032	devdobec.exe
1740	ecxdob.exe
3032	devdobec.exe
1740	ecxdob.exe
3032	devdobec.exe
1740	ecxdob.exe
3032	devdobec.exe
1740	ecxdob.exe
3032	devdobec.exe
1740	ecxdob.exe
3032	devdobec.exe
1740	ecxdob.exe
3032	devdobec.exe
1740	ecxdob.exe
3032	devdobec.exe
1740	ecxdob.exe
3032	devdobec.exe
1740	ecxdob.exe
3032	devdobec.exe
1740	ecxdob.exe
3032	devdobec.exe
1740	ecxdob.exe
3032	devdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 1740	2132	050cd2195fd6d016d12fb80b11a0d190_NeikiAnalytics.exe	28
PID 2132 wrote to memory of 1740	2132	050cd2195fd6d016d12fb80b11a0d190_NeikiAnalytics.exe	28
PID 2132 wrote to memory of 1740	2132	050cd2195fd6d016d12fb80b11a0d190_NeikiAnalytics.exe	28
PID 2132 wrote to memory of 1740	2132	050cd2195fd6d016d12fb80b11a0d190_NeikiAnalytics.exe	28
PID 2132 wrote to memory of 3032	2132	050cd2195fd6d016d12fb80b11a0d190_NeikiAnalytics.exe	29
PID 2132 wrote to memory of 3032	2132	050cd2195fd6d016d12fb80b11a0d190_NeikiAnalytics.exe	29
PID 2132 wrote to memory of 3032	2132	050cd2195fd6d016d12fb80b11a0d190_NeikiAnalytics.exe	29
PID 2132 wrote to memory of 3032	2132	050cd2195fd6d016d12fb80b11a0d190_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\050cd2195fd6d016d12fb80b11a0d190_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\050cd2195fd6d016d12fb80b11a0d190_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1740
- C:\Intelproc1O\devdobec.exe
  C:\Intelproc1O\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc1O\devdobec.exe

Filesize
3.0MB

MD5
a04b64713550f901ef2c6a944e294f6a

SHA1
8e6c5102672befcd6a93ba442ee0791c93902d40

SHA256
be1ffc156abd18ab12299d3e277039e75d6921c10d75791de70a6a1405263cf3

SHA512
9a5cbd6fb90c7d2392b4f4b000bf9f46df5e5101120ff38922c30b9315ae07b7ba342a6f12845bf80b56425b475af566fd9ae66148aaee82a029a67b52c99eb8

Download Submit
C:\LabZRL\optidevsys.exe

Filesize
3.0MB

MD5
e162e7d5ebbfc1974945e4c51f5a2a6d

SHA1
aca7ca3f8203d32a8d528049ed67bb674139e159

SHA256
75bf169cf1ff99a9bc4605233fb3da689e805a90323a356144fd8b17454be402

SHA512
64ab4e8b0220168154c1d6d8685938e23ece1b58f05472767a004ddc628cb192b71c897a0b87a324fedf96e14d9389b30297359e02973ae7dccbf3cc441c544d

Download Submit
C:\LabZRL\optidevsys.exe

Filesize
3.0MB

MD5
7df3803dfa094a3c8f0a3fcfa4aa3d96

SHA1
f5e0cae6f5102c3f1f2a24a0c79079e349da26f0

SHA256
584ec2305bbb8f4254cd2b123d1d010b9fbf3e2f633a1ca0802554d557e4fe53

SHA512
abaa5f7438bee6ef144e5a4fca99a499b7cb18a22b6e5e0d0a768103fee55c4dc7d3df0ab1dfef22b44e2f0e014bb05e54dd85637cf09322a5e36bf7b8752593

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
175B

MD5
390e8c1ec4de44dcdef271b41a4095fb

SHA1
74f4e289b02c70cff5016b2bb79435115256c659

SHA256
917daa25e5d5b21da8ec9e3b8b8cd612bf433cfe8bce4bd412fef7b9a4a1e7f1

SHA512
96c9fb05f684ef13373753909d518d4acbaea701b0f77c4ec448a727ee2a9008c12872d32c7abe8d1faa15df5043f176ed7560fc17c736c82b832ed0631b0084

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
69975a9c3a655b423b7dcab335c8cf98

SHA1
d578640f97f30de638541a4aac9a767ea38bfdd7

SHA256
011c06cf5586671063a466bf792b60e704781c45efb88f3f2a498da7c640263a

SHA512
01151d7a200b098397383e4b75823a71df12c86c9d75de90fc34c564876ae101f018167a09aa80d92499f62bbbd3abbe63d5cf9a5a4155fe9e5b178a5ee92de4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
3.0MB

MD5
62e0a12709ba0f1ec654c24e47330885

SHA1
a4e6c60af1041714ef6c1a24be883cf189048569

SHA256
345eb39f563ecfcd7a5b92832f2f63174840de454da629928ac16add4553085e

SHA512
d34fa69ec457f972cafd15f892b4752cc022b5e27d6050258e143974b53131e41b0bffe4cadd8c08b3ea9bc2aa996cb999ae6f9296cd0d55b31fb6e66c5968eb

Download Submit