f1aa412967081cd47d2bc2ac0a73ce267d3b26f7a906057175cdd68797f34d16

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
25/05/2024, 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe
Size

3.9MB
MD5

a6db96aef9150433481995726b09b8a0
SHA1

670f4bc6abfaf8b7b1588d8ca553a5d2f5018e5b
SHA256

f1aa412967081cd47d2bc2ac0a73ce267d3b26f7a906057175cdd68797f34d16
SHA512

58f6451eba42d242a876668b0939d564db44a57b21ee6f2dafae552f377f4a1daee4058e0959576db12d2fb4f451cc249ea649518482d49639d4322e74507be3
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBAB/bSqz8:sxX7QnxrloE5dpUpbbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2984	ecxdob.exe
2648	devoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2156	a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe
2156	a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotPJ\\devoptiec.exe"	a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax4I\\bodxloc.exe"	a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2156	a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe
2156	a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe
2984	ecxdob.exe
2648	devoptiec.exe
2984	ecxdob.exe
2648	devoptiec.exe
2984	ecxdob.exe
2648	devoptiec.exe
2984	ecxdob.exe
2648	devoptiec.exe
2984	ecxdob.exe
2648	devoptiec.exe
2984	ecxdob.exe
2648	devoptiec.exe
2984	ecxdob.exe
2648	devoptiec.exe
2984	ecxdob.exe
2648	devoptiec.exe
2984	ecxdob.exe
2648	devoptiec.exe
2984	ecxdob.exe
2648	devoptiec.exe
2984	ecxdob.exe
2648	devoptiec.exe
2984	ecxdob.exe
2648	devoptiec.exe
2984	ecxdob.exe
2648	devoptiec.exe
2984	ecxdob.exe
2648	devoptiec.exe
2984	ecxdob.exe
2648	devoptiec.exe
2984	ecxdob.exe
2648	devoptiec.exe
2984	ecxdob.exe
2648	devoptiec.exe
2984	ecxdob.exe
2648	devoptiec.exe
2984	ecxdob.exe
2648	devoptiec.exe
2984	ecxdob.exe
2648	devoptiec.exe
2984	ecxdob.exe
2648	devoptiec.exe
2984	ecxdob.exe
2648	devoptiec.exe
2984	ecxdob.exe
2648	devoptiec.exe
2984	ecxdob.exe
2648	devoptiec.exe
2984	ecxdob.exe
2648	devoptiec.exe
2984	ecxdob.exe
2648	devoptiec.exe
2984	ecxdob.exe
2648	devoptiec.exe
2984	ecxdob.exe
2648	devoptiec.exe
2984	ecxdob.exe
2648	devoptiec.exe
2984	ecxdob.exe
2648	devoptiec.exe
2984	ecxdob.exe
2648	devoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2984	2156	a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe	28
PID 2156 wrote to memory of 2984	2156	a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe	28
PID 2156 wrote to memory of 2984	2156	a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe	28
PID 2156 wrote to memory of 2984	2156	a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe	28
PID 2156 wrote to memory of 2648	2156	a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe	29
PID 2156 wrote to memory of 2648	2156	a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe	29
PID 2156 wrote to memory of 2648	2156	a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe	29
PID 2156 wrote to memory of 2648	2156	a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2984
- C:\UserDotPJ\devoptiec.exe
  C:\UserDotPJ\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax4I\bodxloc.exe

Filesize
15KB

MD5
10e6df3619bbbd1a2464d5000a56fbb5

SHA1
9080f324c059847c04fbc434d62d8ab2e06140a9

SHA256
e437e0733cdde421f32dedbcb49fb69873f23116dc2523e2a45b18e005fd1559

SHA512
9cf956066c20f94e36fc21e8c536ef7625e51e279c3c9794d5029cac42d155db5a2e79ccfe4010364e50c34b0675745a5fc121a112892a31b331ab14427ac6ff

Download Submit
C:\Galax4I\bodxloc.exe

Filesize
3.9MB

MD5
f002a266b390177af589bde294600d6a

SHA1
470b35bc9141281fc6ac42f4217bf86569cfd18a

SHA256
41e2e4a85766c22b9877e5c2dd85f04ff56d57115b5597df0956d62fa41c3d04

SHA512
9a37e3b8ab8eab1aae813b4d5a33c476ea4bcb52447bd5729e7632a996b2774409a37a00758f8b8e6b6f7846e9e057bbecebc6b2ecc63b90be6eb29bcb114636

Download Submit
C:\UserDotPJ\devoptiec.exe

Filesize
3.9MB

MD5
14ff2e1a32eaba9106c4787082ceed44

SHA1
678f82211cc1c75a32cc6d7a4084d6d20c488877

SHA256
f98a6ed62082e369c1f7c3e87667031da2cd5357a65ad1137494c4b68d21091a

SHA512
5c369277a195baee3c080c09d78e28d455142150c8071733b19a6beecf41debcfc1408dc89a626ab394dc32b25fb0fdba79f1dfdc260c9f6048a9e5140bb90f2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
217ff6fb1ab7e2c27ccfba0731ae7396

SHA1
04f6b685e4e6d08fbe8b7c1575d6fa918e999073

SHA256
5f23cf645fbcb23bbb364ee70e5ec78b48efbe8f234961d4c189072cc7d570ae

SHA512
1c8e1ddf250abc49852a9f5fbfa477dda1f93e773313c99981bf7f4073200a0144f976e16cf14e632594e45b1e20be1d48c2f3dc1f9db870d9d025506905dfeb

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
b91d581e8ecc96ae357110f1f23577a7

SHA1
53be585134e41985dc15064095660862956b98a3

SHA256
d24857a750e0694954e51b2e39c057ffb7c366b19edf1adcdd6c0f6b764337f3

SHA512
a6291a44c720df0dde23e6e9c3ae5ab42a0cb89ab6e286d2bfda86bd28e7438f7cde842ddebac4da0b6185ceb09aafb4f8aa9ea3da0c1e385cc0debd6567f3c0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
3.9MB

MD5
f1024d1714b88eb090a49b96332fb90c

SHA1
39ac0b6bc208fa553ec46552a60c1c4c186f80c2

SHA256
60837fb9c337b20bb36d3b8a43ddcaed7e3b44a75764bf5e8f23ddb51ca7b582

SHA512
ca9646dd184a7f6cad23aaad64abf0c51333e25ddb38ea3d9478b1a13021b70c8bbde16f9bc4d0a1e09a5ead5bdf3e7e8d224eb44dc9e6802cd7cc8cb24e1086

Download Submit