483f21ec6aed613c497c455e889b58da1d50d591fa2afcd8432b2df12a4b8260

Analysis

max time kernel
148s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3077b08b047e16f7a405d2c6dd47920_NeikiAnalytics.exe
Size

4.0MB
MD5

c3077b08b047e16f7a405d2c6dd47920
SHA1

aaafeb6ab7b3c64caa9b5b7e421993d050625afb
SHA256

483f21ec6aed613c497c455e889b58da1d50d591fa2afcd8432b2df12a4b8260
SHA512

99b91dc98499638794bc6faf61f1d0fbcf5048453688fb578a80eccb7ee601862fdadc7c972abe76c456d2778109197f3deea6ced74461c62b8c1a82ee138b8a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBGB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpdbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	c3077b08b047e16f7a405d2c6dd47920_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
5088	ecabod.exe
3104	devoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeGE\\devoptiloc.exe"	c3077b08b047e16f7a405d2c6dd47920_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintW2\\optialoc.exe"	c3077b08b047e16f7a405d2c6dd47920_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3688	c3077b08b047e16f7a405d2c6dd47920_NeikiAnalytics.exe
3688	c3077b08b047e16f7a405d2c6dd47920_NeikiAnalytics.exe
3688	c3077b08b047e16f7a405d2c6dd47920_NeikiAnalytics.exe
3688	c3077b08b047e16f7a405d2c6dd47920_NeikiAnalytics.exe
5088	ecabod.exe
5088	ecabod.exe
3104	devoptiloc.exe
3104	devoptiloc.exe
5088	ecabod.exe
5088	ecabod.exe
3104	devoptiloc.exe
3104	devoptiloc.exe
5088	ecabod.exe
5088	ecabod.exe
3104	devoptiloc.exe
3104	devoptiloc.exe
5088	ecabod.exe
5088	ecabod.exe
3104	devoptiloc.exe
3104	devoptiloc.exe
5088	ecabod.exe
5088	ecabod.exe
3104	devoptiloc.exe
3104	devoptiloc.exe
5088	ecabod.exe
5088	ecabod.exe
3104	devoptiloc.exe
3104	devoptiloc.exe
5088	ecabod.exe
5088	ecabod.exe
3104	devoptiloc.exe
3104	devoptiloc.exe
5088	ecabod.exe
5088	ecabod.exe
3104	devoptiloc.exe
3104	devoptiloc.exe
5088	ecabod.exe
5088	ecabod.exe
3104	devoptiloc.exe
3104	devoptiloc.exe
5088	ecabod.exe
5088	ecabod.exe
3104	devoptiloc.exe
3104	devoptiloc.exe
5088	ecabod.exe
5088	ecabod.exe
3104	devoptiloc.exe
3104	devoptiloc.exe
5088	ecabod.exe
5088	ecabod.exe
3104	devoptiloc.exe
3104	devoptiloc.exe
5088	ecabod.exe
5088	ecabod.exe
3104	devoptiloc.exe
3104	devoptiloc.exe
5088	ecabod.exe
5088	ecabod.exe
3104	devoptiloc.exe
3104	devoptiloc.exe
5088	ecabod.exe
5088	ecabod.exe
3104	devoptiloc.exe
3104	devoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 5088	3688	c3077b08b047e16f7a405d2c6dd47920_NeikiAnalytics.exe	94
PID 3688 wrote to memory of 5088	3688	c3077b08b047e16f7a405d2c6dd47920_NeikiAnalytics.exe	94
PID 3688 wrote to memory of 5088	3688	c3077b08b047e16f7a405d2c6dd47920_NeikiAnalytics.exe	94
PID 3688 wrote to memory of 3104	3688	c3077b08b047e16f7a405d2c6dd47920_NeikiAnalytics.exe	95
PID 3688 wrote to memory of 3104	3688	c3077b08b047e16f7a405d2c6dd47920_NeikiAnalytics.exe	95
PID 3688 wrote to memory of 3104	3688	c3077b08b047e16f7a405d2c6dd47920_NeikiAnalytics.exe	95

C:\Users\Admin\AppData\Local\Temp\c3077b08b047e16f7a405d2c6dd47920_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c3077b08b047e16f7a405d2c6dd47920_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5088
- C:\AdobeGE\devoptiloc.exe
  C:\AdobeGE\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3212,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:8
1⤵
PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeGE\devoptiloc.exe

Filesize
4.0MB

MD5
bf10fd61b8ceb02ef7175965670ef5a3

SHA1
36cf2aef685257df17689eaaf9b229f898557f1a

SHA256
d0ec7e42688aa6024adab52dfb03f8d3121e71f99862c5e11bf7a94b509270c9

SHA512
4975d65b0351af15e1b2e2853c7549ad16dab5426327c23100fe8853bb342960521bcd8562e7f4c5ea0b8b4cbb6040c13f7018ae3db78d69b1eedd7d5bcb50eb

Download Submit
C:\MintW2\optialoc.exe

Filesize
4.0MB

MD5
e333a915ad6a825f9900b8efbab8c3e0

SHA1
68f51f0412e2be5adea455ac292d3ac3a757bc32

SHA256
7d185f1764c5d88faa6db7190d10dde1c37bc994db7a47d3890c5c6e59db6808

SHA512
898028b57f52b07c7687f71d76e640f12fc81e7f64db7ea11ce9595bb85a2b80491fb816ce3cc9bcf9f1e87b378c1d340db8758002a5418e4dd46356b74a09bc

Download Submit
C:\MintW2\optialoc.exe

Filesize
892KB

MD5
c63af1e2bdeb4597edbfc824bf765164

SHA1
1fb70184e37ecf8c0c4f544cf031f5282e5cb7a2

SHA256
5fe1f013deb51d3e738b1ec4ae4c57ca622c3ea41e65a3fc14555af1a6c95b3e

SHA512
41a8334d6a50a24df6797fa5540b0dafac7b9a0a1aa33e2235712f333838ce6e4a49be561cc679cbb29942d896f916c9fd195dbda3dbf7aadaadaee6e40c008e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
9e1c14b2832ad16e83e091e37461f858

SHA1
fda1efb2aad52671933df17c7da632bd8763213d

SHA256
39e9cd02853b6c385330a54b5a826b11709178b7a5c5874101fc68b767467ac3

SHA512
58377e66d6dae33e3c3006e0e490c0768a39df8aa1923b8e15378b471a14ebb03ca5c6ec595aeb59d72b61f86d62ba64be1fabefa73679ccb8d7302c22e37df8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
57b688a51fb0e37e131530354c867f79

SHA1
103671db94468921d2c723db85b1f1b1a510b93b

SHA256
102ecb0f8f51dee7dd11aef953b40fe07cce6ff2fb82b4692343f8b103bf721a

SHA512
c7f7c9915a59b99fe9986347fa8f9eb2d270fca44b4d4bda802fbbc965b229b51d32a840da8d303085713f1c7bf89d5ae0334368caa1db74852c997a58c0d8c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

Filesize
4.0MB

MD5
e3521daf5ce9d6951391c2aada44c97a

SHA1
076ea4f0aa67ecf9e66987c99cb3cf8ee6dbc48b

SHA256
5f9f9bd6eca0291ef9f9fac53a7f38d276ed9e1f64951187b55d4619ea6048b3

SHA512
4bec0c0ce5d04bafcce10993bc07e351b8d3c88d44ab7e4f951108ea19e77df77967868af8b310b590c0002d69d12fe5e5043ec5544f50ef4983f3b0e83c5ca3

Download Submit