1d8cc8c85fd50970a0ef65159e56380971a1f80b2887477f7050a1edd9c6402c

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/05/2024, 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18670970356b20561ac15a6edf5efdd0_NeikiAnalytics.exe
Size

4.1MB
MD5

18670970356b20561ac15a6edf5efdd0
SHA1

a55cdfb2a5b2f18c624e612900220605c1cee147
SHA256

1d8cc8c85fd50970a0ef65159e56380971a1f80b2887477f7050a1edd9c6402c
SHA512

135e69385454ae791a642ff7d626fa62ca8eb352b6f8b3f35eb45e0e92409a173c60477b5ee6063faa555241743dc25e7d09dad8ac989152524175bbc9c12f9b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBOB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpJbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	18670970356b20561ac15a6edf5efdd0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2376	ecdevdob.exe
2000	aoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2988	18670970356b20561ac15a6edf5efdd0_NeikiAnalytics.exe
2988	18670970356b20561ac15a6edf5efdd0_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvN6\\aoptiloc.exe"	18670970356b20561ac15a6edf5efdd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintSR\\bodxsys.exe"	18670970356b20561ac15a6edf5efdd0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2988	18670970356b20561ac15a6edf5efdd0_NeikiAnalytics.exe
2988	18670970356b20561ac15a6edf5efdd0_NeikiAnalytics.exe
2376	ecdevdob.exe
2000	aoptiloc.exe
2376	ecdevdob.exe
2000	aoptiloc.exe
2376	ecdevdob.exe
2000	aoptiloc.exe
2376	ecdevdob.exe
2000	aoptiloc.exe
2376	ecdevdob.exe
2000	aoptiloc.exe
2376	ecdevdob.exe
2000	aoptiloc.exe
2376	ecdevdob.exe
2000	aoptiloc.exe
2376	ecdevdob.exe
2000	aoptiloc.exe
2376	ecdevdob.exe
2000	aoptiloc.exe
2376	ecdevdob.exe
2000	aoptiloc.exe
2376	ecdevdob.exe
2000	aoptiloc.exe
2376	ecdevdob.exe
2000	aoptiloc.exe
2376	ecdevdob.exe
2000	aoptiloc.exe
2376	ecdevdob.exe
2000	aoptiloc.exe
2376	ecdevdob.exe
2000	aoptiloc.exe
2376	ecdevdob.exe
2000	aoptiloc.exe
2376	ecdevdob.exe
2000	aoptiloc.exe
2376	ecdevdob.exe
2000	aoptiloc.exe
2376	ecdevdob.exe
2000	aoptiloc.exe
2376	ecdevdob.exe
2000	aoptiloc.exe
2376	ecdevdob.exe
2000	aoptiloc.exe
2376	ecdevdob.exe
2000	aoptiloc.exe
2376	ecdevdob.exe
2000	aoptiloc.exe
2376	ecdevdob.exe
2000	aoptiloc.exe
2376	ecdevdob.exe
2000	aoptiloc.exe
2376	ecdevdob.exe
2000	aoptiloc.exe
2376	ecdevdob.exe
2000	aoptiloc.exe
2376	ecdevdob.exe
2000	aoptiloc.exe
2376	ecdevdob.exe
2000	aoptiloc.exe
2376	ecdevdob.exe
2000	aoptiloc.exe
2376	ecdevdob.exe
2000	aoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2376	2988	18670970356b20561ac15a6edf5efdd0_NeikiAnalytics.exe	28
PID 2988 wrote to memory of 2376	2988	18670970356b20561ac15a6edf5efdd0_NeikiAnalytics.exe	28
PID 2988 wrote to memory of 2376	2988	18670970356b20561ac15a6edf5efdd0_NeikiAnalytics.exe	28
PID 2988 wrote to memory of 2376	2988	18670970356b20561ac15a6edf5efdd0_NeikiAnalytics.exe	28
PID 2988 wrote to memory of 2000	2988	18670970356b20561ac15a6edf5efdd0_NeikiAnalytics.exe	29
PID 2988 wrote to memory of 2000	2988	18670970356b20561ac15a6edf5efdd0_NeikiAnalytics.exe	29
PID 2988 wrote to memory of 2000	2988	18670970356b20561ac15a6edf5efdd0_NeikiAnalytics.exe	29
PID 2988 wrote to memory of 2000	2988	18670970356b20561ac15a6edf5efdd0_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\18670970356b20561ac15a6edf5efdd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\18670970356b20561ac15a6edf5efdd0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2376
- C:\SysDrvN6\aoptiloc.exe
  C:\SysDrvN6\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintSR\bodxsys.exe

Filesize
2.4MB

MD5
e2bb935bd89bdb494b8df620472b4dd5

SHA1
635fd60bb5e00f7122bc52129d7f8a390103296e

SHA256
64375bbc2d0f921ec0535f5d4c9d30fed44d103076bc4cacf6cbba74e32ed50a

SHA512
5e3bd95f14d62e5a98fa2a6acfbe7233ee676e5c4775c25f253f649ed3e422149b44b11f20f31a5c2f965fb2a5f645a15da81ba23066cf5d579add7e432c55d9

Download Submit
C:\MintSR\bodxsys.exe

Filesize
4.1MB

MD5
8fa5365b0621564086e16c747c900fae

SHA1
ef6e146765f1c29c856dfe84b7f14802a696f4c1

SHA256
b58015a4f3a00693b7852397f22696132e845fdc2948c70538edb0a501e41663

SHA512
d81bc4ad776f52fdf765e30c36138926a3bd8fe8d6b23252980254d45268be7f1c745b9447f0ef113e85490a7b58005c60a10618166a78e6ec5bd3acc4c4f0f3

Download Submit
C:\SysDrvN6\aoptiloc.exe

Filesize
4.1MB

MD5
7a03997f2454955b966d67e8497260c6

SHA1
9ec1b7594ca1331fd816342792ab37222aefc9f5

SHA256
cfcdf0b363b199fc7d1f0a8072b598809204592a3c1b539b5fc37ea3a5e99c18

SHA512
d919e6af067c621ed0350215fda723d21a0604c3c5388604036e23657bd3cba55cabf5c3851a6f9f8037c2ed89b5ef6a246ec5eaace8fdcf0a65351760a9bcf4

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
979ec08d8453cb89bb2aa192acbdf687

SHA1
8e0f62bd96a57b1a4a6daf09052c1b94c6881b3e

SHA256
53e198aa05a0cff90842221fe72571b8b932b6da443f4cb5858d4a9439d29902

SHA512
fbdb122087283e8f7e1edf47e6ed0a2682d8bded8fa26215138a2f92ca617119351abc58c6ad18ba674a2b35a4bee7f19867b899804278c33190416e6ee0ab32

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
1cd45035f740710c02dc55c69a77affd

SHA1
ddabfdf0163bd0dfe8b58774105764a1d9b470a6

SHA256
eda7c843d7240abe9fcc104df36a5443dc35653ffc646cc724c97b936d6e1eed

SHA512
608bc049e5fec761eb489604e31a774d628c1d2f744657cd1c9f759e749a40a88fb9c2907f808b42db4353530b11ef212cffecfac923c77df2455013a403a379

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
4.1MB

MD5
4cabeaa07cd3a27a2a0604d1670345a4

SHA1
295fd9793cd54321358090a6df7642fe570a9507

SHA256
08c13569b6c77c547c9546e9d8165ac5d87779d22024a29de25516bcba654b2b

SHA512
93b4a3c30b04658df1caf3763789460e98ebcd33290e664ada1e476883d5133dff1da9d85f976c012e7486eaebc76cb25581293902fd4a7e8d69158b73a2cad2

Download Submit