bb7b1078a837cd7b90bc0da62731dd34eb72e4cf54e966d46849214993917555

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 22:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

08e15f84fc910517ffd094fb28c96240_NeikiAnalytics.exe
Size

3.9MB
MD5

08e15f84fc910517ffd094fb28c96240
SHA1

6b9e69448ab77a2c7c82e0f8dd72d6f5eb560957
SHA256

bb7b1078a837cd7b90bc0da62731dd34eb72e4cf54e966d46849214993917555
SHA512

6391f39f2eb179784394122d6b75199be8c1d0822ad0ba7d71ca28b10cc93efbbedc9c2b7eddfb7cdb7c32c65fc98188d69d71d98acd3b72525b9fa81df367e5
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpCbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	08e15f84fc910517ffd094fb28c96240_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2568	ecabod.exe
2512	devbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
1628	08e15f84fc910517ffd094fb28c96240_NeikiAnalytics.exe
1628	08e15f84fc910517ffd094fb28c96240_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe96\\devbodsys.exe"	08e15f84fc910517ffd094fb28c96240_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxGP\\optixec.exe"	08e15f84fc910517ffd094fb28c96240_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1628	08e15f84fc910517ffd094fb28c96240_NeikiAnalytics.exe
1628	08e15f84fc910517ffd094fb28c96240_NeikiAnalytics.exe
2568	ecabod.exe
2512	devbodsys.exe
2568	ecabod.exe
2512	devbodsys.exe
2568	ecabod.exe
2512	devbodsys.exe
2568	ecabod.exe
2512	devbodsys.exe
2568	ecabod.exe
2512	devbodsys.exe
2568	ecabod.exe
2512	devbodsys.exe
2568	ecabod.exe
2512	devbodsys.exe
2568	ecabod.exe
2512	devbodsys.exe
2568	ecabod.exe
2512	devbodsys.exe
2568	ecabod.exe
2512	devbodsys.exe
2568	ecabod.exe
2512	devbodsys.exe
2568	ecabod.exe
2512	devbodsys.exe
2568	ecabod.exe
2512	devbodsys.exe
2568	ecabod.exe
2512	devbodsys.exe
2568	ecabod.exe
2512	devbodsys.exe
2568	ecabod.exe
2512	devbodsys.exe
2568	ecabod.exe
2512	devbodsys.exe
2568	ecabod.exe
2512	devbodsys.exe
2568	ecabod.exe
2512	devbodsys.exe
2568	ecabod.exe
2512	devbodsys.exe
2568	ecabod.exe
2512	devbodsys.exe
2568	ecabod.exe
2512	devbodsys.exe
2568	ecabod.exe
2512	devbodsys.exe
2568	ecabod.exe
2512	devbodsys.exe
2568	ecabod.exe
2512	devbodsys.exe
2568	ecabod.exe
2512	devbodsys.exe
2568	ecabod.exe
2512	devbodsys.exe
2568	ecabod.exe
2512	devbodsys.exe
2568	ecabod.exe
2512	devbodsys.exe
2568	ecabod.exe
2512	devbodsys.exe
2568	ecabod.exe
2512	devbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2568	1628	08e15f84fc910517ffd094fb28c96240_NeikiAnalytics.exe	28
PID 1628 wrote to memory of 2568	1628	08e15f84fc910517ffd094fb28c96240_NeikiAnalytics.exe	28
PID 1628 wrote to memory of 2568	1628	08e15f84fc910517ffd094fb28c96240_NeikiAnalytics.exe	28
PID 1628 wrote to memory of 2568	1628	08e15f84fc910517ffd094fb28c96240_NeikiAnalytics.exe	28
PID 1628 wrote to memory of 2512	1628	08e15f84fc910517ffd094fb28c96240_NeikiAnalytics.exe	29
PID 1628 wrote to memory of 2512	1628	08e15f84fc910517ffd094fb28c96240_NeikiAnalytics.exe	29
PID 1628 wrote to memory of 2512	1628	08e15f84fc910517ffd094fb28c96240_NeikiAnalytics.exe	29
PID 1628 wrote to memory of 2512	1628	08e15f84fc910517ffd094fb28c96240_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\08e15f84fc910517ffd094fb28c96240_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\08e15f84fc910517ffd094fb28c96240_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2568
- C:\Adobe96\devbodsys.exe
  C:\Adobe96\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe96\devbodsys.exe

Filesize
3.9MB

MD5
2bd59582ee37c3b5f3f59a1fafa1aaca

SHA1
944384530bcf42f5776423ebaec814fbadb86cd8

SHA256
d85991d7fd8beec667189bcb4f3383375f3cd34948efeae86613f1cea6a2ebe3

SHA512
7a6d8a59183e69fab4db03c58500410100ea3167ffaac5d2c63f5fd0df753cd38660ae309d8c97fefc30adb0cd1b1e941787c9c0f9e92c61b5920e284f3eacec

Download Submit
C:\GalaxGP\optixec.exe

Filesize
3.9MB

MD5
8ccb3db7224ab11b6366232e2d7228b8

SHA1
11847a6cf0dfd60d15589df142e68777ba0aa27b

SHA256
c0786f7dfd79e80ab4b6d01e384c83cb272612a5918035bb425059d5e89a75fa

SHA512
f8d34ce3eb700eda8f86ba44ab40d67550faec5105ba76a8598f69d491f96007b26d254438024f1055b6af539068d730eb2122b4b7a4fb341235568277fea4d0

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
4fc1d89eaba01a240237083756f5cd20

SHA1
b931da93d655eb6bb6f1c6317976a842810acd3f

SHA256
fad338c344be796cb5327b3902917348fafbdec9063369d2a83439dfcfad8a45

SHA512
cf607eedfc59d53770268f14d55fc79060b6d624d302d7a590ce51a92216a1ef9f1037c96f57d33953a8e53ab9580027df2eaf69eb69c7a115320a269332b81c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
db522ad3010b7a3151f2dcbb131bce0e

SHA1
ee975f3ae3e335522ff1afd06cb2ed7457c77bea

SHA256
9a4d82b1c5eecc2277c764f8d72a2312d97916e4e8c1282c0c8209c3341dbdd7

SHA512
d3f209da25a869631ce540436dc4b52eb7c8624a6af2dd7118d4f76cc439902e54962c630b52d155a78323f263238ce8b17dbd3294453e534585b00311e356b4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

Filesize
3.9MB

MD5
5643cbc2d695e0fc9dd67ef1f456409a

SHA1
0b29d5542a66b6311b8498c4373a1617c8dfd625

SHA256
bce5ba69819bfba09c33ccc1dbf086f0db7029eed7b633634bd74f0eca8a6a80

SHA512
d1aa03cb30685b0d7fd7fcd85ea7b068a43691cdee52629ba30d4a8a3c03e6716c732ac3c11df616f9db64e3954bc4f0226086258781758912168a255aea813b

Download Submit