7b6428e3ce81a8cee71671e15460e4c81cf1de25ca169e783a0e64e4d98b4542

Analysis

max time kernel
148s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
19/05/2024, 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1997c881825c86264ed07533988451e0_NeikiAnalytics.exe
Size

3.9MB
MD5

1997c881825c86264ed07533988451e0
SHA1

0431748a6566be7050093656d089b52bcc1fe29e
SHA256

7b6428e3ce81a8cee71671e15460e4c81cf1de25ca169e783a0e64e4d98b4542
SHA512

3a7869eec06be58b601aee81747e8d9b95fe6f1e8c8163b53aa76c0190d5ff3c6f734a86ebd613ee63c15303483320509534ec1b3c5807d84c5a2d8387349dc6
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqz8:sxX7QnxrloE5dpUpLbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	1997c881825c86264ed07533988451e0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2548	sysaopti.exe
2712	xdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
1904	1997c881825c86264ed07533988451e0_NeikiAnalytics.exe
1904	1997c881825c86264ed07533988451e0_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files3C\\xdobec.exe"	1997c881825c86264ed07533988451e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ0Z\\dobaec.exe"	1997c881825c86264ed07533988451e0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1904	1997c881825c86264ed07533988451e0_NeikiAnalytics.exe
1904	1997c881825c86264ed07533988451e0_NeikiAnalytics.exe
2548	sysaopti.exe
2712	xdobec.exe
2548	sysaopti.exe
2712	xdobec.exe
2548	sysaopti.exe
2712	xdobec.exe
2548	sysaopti.exe
2712	xdobec.exe
2548	sysaopti.exe
2712	xdobec.exe
2548	sysaopti.exe
2712	xdobec.exe
2548	sysaopti.exe
2712	xdobec.exe
2548	sysaopti.exe
2712	xdobec.exe
2548	sysaopti.exe
2712	xdobec.exe
2548	sysaopti.exe
2712	xdobec.exe
2548	sysaopti.exe
2712	xdobec.exe
2548	sysaopti.exe
2712	xdobec.exe
2548	sysaopti.exe
2712	xdobec.exe
2548	sysaopti.exe
2712	xdobec.exe
2548	sysaopti.exe
2712	xdobec.exe
2548	sysaopti.exe
2712	xdobec.exe
2548	sysaopti.exe
2712	xdobec.exe
2548	sysaopti.exe
2712	xdobec.exe
2548	sysaopti.exe
2712	xdobec.exe
2548	sysaopti.exe
2712	xdobec.exe
2548	sysaopti.exe
2712	xdobec.exe
2548	sysaopti.exe
2712	xdobec.exe
2548	sysaopti.exe
2712	xdobec.exe
2548	sysaopti.exe
2712	xdobec.exe
2548	sysaopti.exe
2712	xdobec.exe
2548	sysaopti.exe
2712	xdobec.exe
2548	sysaopti.exe
2712	xdobec.exe
2548	sysaopti.exe
2712	xdobec.exe
2548	sysaopti.exe
2712	xdobec.exe
2548	sysaopti.exe
2712	xdobec.exe
2548	sysaopti.exe
2712	xdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 2548	1904	1997c881825c86264ed07533988451e0_NeikiAnalytics.exe	28
PID 1904 wrote to memory of 2548	1904	1997c881825c86264ed07533988451e0_NeikiAnalytics.exe	28
PID 1904 wrote to memory of 2548	1904	1997c881825c86264ed07533988451e0_NeikiAnalytics.exe	28
PID 1904 wrote to memory of 2548	1904	1997c881825c86264ed07533988451e0_NeikiAnalytics.exe	28
PID 1904 wrote to memory of 2712	1904	1997c881825c86264ed07533988451e0_NeikiAnalytics.exe	29
PID 1904 wrote to memory of 2712	1904	1997c881825c86264ed07533988451e0_NeikiAnalytics.exe	29
PID 1904 wrote to memory of 2712	1904	1997c881825c86264ed07533988451e0_NeikiAnalytics.exe	29
PID 1904 wrote to memory of 2712	1904	1997c881825c86264ed07533988451e0_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\1997c881825c86264ed07533988451e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1997c881825c86264ed07533988451e0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2548
- C:\Files3C\xdobec.exe
  C:\Files3C\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files3C\xdobec.exe

Filesize
35KB

MD5
cc8a8c17d4ad2a69bfdb225e1acb12d7

SHA1
f3fe42faa842706378dda35c73e8f0d268079fd5

SHA256
b4ef80bbc959ebd5ff2bd99911c33dca1bf95404aa1bb885a0d751acb89077c9

SHA512
dbbbfb251b097fb542c61c86d97b9bbaf96dbe0bb95ee239829e950aa7bebe26984e8fe99a16182e2fee3b68d128f6d18d6a36b8adce611ccd2902960b162869

Download Submit
C:\LabZ0Z\dobaec.exe

Filesize
3.9MB

MD5
f1a5b3accfa821b6641d6f06deba6541

SHA1
5f36a9fbd913aced75e41ae0ae455ed74f94070d

SHA256
9dbaa72b75346c9dd3342797d8727953bff3f9afc9ef86d4ccccb3d5445fbc6d

SHA512
f63785eabf171fcec48268d0472063d5a87bc1ec429883cb316079ec09ca62520c0678ca584cb6967cdf863b5a8585898652293ce624ffc13598cf2c639361c6

Download Submit
C:\LabZ0Z\dobaec.exe

Filesize
3.9MB

MD5
dd35e5bc9154996288f73c15c81b55b0

SHA1
5d0991dc3d2ff3f7c364bddb4bd9b0fd1111da33

SHA256
e95c87a9af1709b96046f7e9248de4c88a739b5db4b975c37744196709fdb814

SHA512
baf7ce74d82544a8b8079afd027e3352666b2efcae4092d7b82a67d52492227f57c893a9336648395f835953ce3888d6bba532e33535761a266695685439a16f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
167B

MD5
ebcadf8777b95d3c573b3fa23d3a7fb4

SHA1
51f70483f75992159703791dfb3cdf907cbc6178

SHA256
accb63f39eec56cf63b88e36a2b3dffa523cb77f8e8be562f35ae7b77afab9b8

SHA512
f282bac73223830c5f3631ed23a63264bdbd8419dff30f941f0efdfbbb819d00c1867d73db5a1a5c22e3bdbae8b21061e733ea9e64fd7c751d0bad9e63aed502

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
199B

MD5
f1cf48b36af83a332b8d96ae8b31bd1a

SHA1
5c82871aad52ad89e87c955db5b61532e7918930

SHA256
be5318c9da708a6d97e78b0b595a436768cbaecab559ae6e5f609cfa27ed6d65

SHA512
470f591849a89d50d42e699b95aab631c2a906b54959de3882f35dbd88a728ffe7e3b14b8e9d08f5444eee26f26300a624565eb7f9f3a0b1690a666aaa203fb7

Download Submit
\Files3C\xdobec.exe

Filesize
3.9MB

MD5
1b867c29ab0d5bbb38af47fd3c4e2c72

SHA1
ce0a467c57bb59757be63a2806f335211a7d1abb

SHA256
a1120a3c35aac683dabef745400842f328b640593467dcadf4ffc1162f1ee68a

SHA512
7be9b304a8e32624bda31c7a0d8bbad2a8763d1c73e2924874461322f3100640a375f63e03f0a0e85660ce9672ead00ffa602bd26a108300f3442576b42a3ad4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
3.9MB

MD5
111502b258e17e5b0d2794a362c8ad3e

SHA1
0b27a80f3eb3e5c0f255e32f1063e8ede6624729

SHA256
44e90d2f56245636ec030290144c75fbda62eddc03bd75e70958f3bde504813e

SHA512
1ac6b3cf9d0dc91ce62cd763bb51e5db17ee1bfb5c93aab1447ccac7c99e5b2c4ecb28e85332e5471b7d7fdbfdab6bbaa2ab48d741c2b581198ff7c487c1a437

Download Submit