971d73711d48b0af290dcab562eb1e2cbfae6521bad85662266a7d2208e7d3a9

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cd7f3c8e52e5b385a05db4620a0a810_NeikiAnalytics.exe
Size

3.1MB
MD5

0cd7f3c8e52e5b385a05db4620a0a810
SHA1

ab3f91c72f0a28555fa498ad7df295cadb81a5c4
SHA256

971d73711d48b0af290dcab562eb1e2cbfae6521bad85662266a7d2208e7d3a9
SHA512

6e37b8b8588fb0f31914f0e167141edea861d6a0891ed8321437f4673f7899007df28ae2ddeccacb3beb43306070c76995e774142ef9844c1e53705ca72446bd
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bSqz8:sxX7QnxrloE5dpUpBbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	0cd7f3c8e52e5b385a05db4620a0a810_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2704	ecdevopti.exe
2480	devdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
1692	0cd7f3c8e52e5b385a05db4620a0a810_NeikiAnalytics.exe
1692	0cd7f3c8e52e5b385a05db4620a0a810_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot8T\\devdobec.exe"	0cd7f3c8e52e5b385a05db4620a0a810_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidEF\\dobdevloc.exe"	0cd7f3c8e52e5b385a05db4620a0a810_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1692	0cd7f3c8e52e5b385a05db4620a0a810_NeikiAnalytics.exe
1692	0cd7f3c8e52e5b385a05db4620a0a810_NeikiAnalytics.exe
2704	ecdevopti.exe
2480	devdobec.exe
2704	ecdevopti.exe
2480	devdobec.exe
2704	ecdevopti.exe
2480	devdobec.exe
2704	ecdevopti.exe
2480	devdobec.exe
2704	ecdevopti.exe
2480	devdobec.exe
2704	ecdevopti.exe
2480	devdobec.exe
2704	ecdevopti.exe
2480	devdobec.exe
2704	ecdevopti.exe
2480	devdobec.exe
2704	ecdevopti.exe
2480	devdobec.exe
2704	ecdevopti.exe
2480	devdobec.exe
2704	ecdevopti.exe
2480	devdobec.exe
2704	ecdevopti.exe
2480	devdobec.exe
2704	ecdevopti.exe
2480	devdobec.exe
2704	ecdevopti.exe
2480	devdobec.exe
2704	ecdevopti.exe
2480	devdobec.exe
2704	ecdevopti.exe
2480	devdobec.exe
2704	ecdevopti.exe
2480	devdobec.exe
2704	ecdevopti.exe
2480	devdobec.exe
2704	ecdevopti.exe
2480	devdobec.exe
2704	ecdevopti.exe
2480	devdobec.exe
2704	ecdevopti.exe
2480	devdobec.exe
2704	ecdevopti.exe
2480	devdobec.exe
2704	ecdevopti.exe
2480	devdobec.exe
2704	ecdevopti.exe
2480	devdobec.exe
2704	ecdevopti.exe
2480	devdobec.exe
2704	ecdevopti.exe
2480	devdobec.exe
2704	ecdevopti.exe
2480	devdobec.exe
2704	ecdevopti.exe
2480	devdobec.exe
2704	ecdevopti.exe
2480	devdobec.exe
2704	ecdevopti.exe
2480	devdobec.exe
2704	ecdevopti.exe
2480	devdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 2704	1692	0cd7f3c8e52e5b385a05db4620a0a810_NeikiAnalytics.exe	28
PID 1692 wrote to memory of 2704	1692	0cd7f3c8e52e5b385a05db4620a0a810_NeikiAnalytics.exe	28
PID 1692 wrote to memory of 2704	1692	0cd7f3c8e52e5b385a05db4620a0a810_NeikiAnalytics.exe	28
PID 1692 wrote to memory of 2704	1692	0cd7f3c8e52e5b385a05db4620a0a810_NeikiAnalytics.exe	28
PID 1692 wrote to memory of 2480	1692	0cd7f3c8e52e5b385a05db4620a0a810_NeikiAnalytics.exe	29
PID 1692 wrote to memory of 2480	1692	0cd7f3c8e52e5b385a05db4620a0a810_NeikiAnalytics.exe	29
PID 1692 wrote to memory of 2480	1692	0cd7f3c8e52e5b385a05db4620a0a810_NeikiAnalytics.exe	29
PID 1692 wrote to memory of 2480	1692	0cd7f3c8e52e5b385a05db4620a0a810_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\0cd7f3c8e52e5b385a05db4620a0a810_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0cd7f3c8e52e5b385a05db4620a0a810_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2704
- C:\UserDot8T\devdobec.exe
  C:\UserDot8T\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDot8T\devdobec.exe

Filesize
3.1MB

MD5
837bb6b6006739f9af09d95add3669bf

SHA1
5d3938b0e88bf9072882e83a6ae8bbb996a343ad

SHA256
51a8d86ad71f982e3ec1a6267b30fd1f8cb576651963508055cfa9c386249beb

SHA512
595468d71663cb20787b251130c97e34ac2611d41bf5dd8880a1bcbaf5f7f2f1b7699b99a18e17206039ca6a7eb42bfb789770804614416a277acccf75e3e5fb

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
34319b50873408a05ad6d8b2a91a61b6

SHA1
70a04f6c4a5f9d106d253492e98640a8d9ee475c

SHA256
0e2c60507b0e0b79066fd467c8211bf9242cf343cbf5106e78aa21eb86e9e04c

SHA512
303d233d6f6f433189011cb2aa129a3e5ea761c7c61fe326aa09566aed1a63b9bf0c5fd484a17c74760a446360add304e52f88c551cc21e727558148ae3a6a7c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
9ddbd6d902a1d825bf3c2c447c119140

SHA1
858cc842577f16c40e6f12110687c88232d98e03

SHA256
9bb77e8c0064a4c54a9168c4cbc543a74ea93aef8f75704990f3cb42ab7de408

SHA512
f36693355c04041c9386c77239ac534d2311e880bbff4b0cc35b132a41b9b80f5247a6f0635ce2e70477eeb196aec5cbf6349f8298efa5bda2b7d2c5bc7d9a52

Download Submit
C:\VidEF\dobdevloc.exe

Filesize
3.1MB

MD5
570e32a3e06c56d74c9fc8fd5b5bb344

SHA1
a67e3ffd68549c13a2540b1baee3b4b33ce76873

SHA256
063a5e8fa70f214a3fbcefcf1938700e592007cef773f7baeefdc7f4af7b1a8a

SHA512
0c7be5a9573811f6c7f3ef7fd42ea5fa104e194372fea5047f6b473117fca9c866192de6f016a1c4b56e71ced9e5956674577ded7080b904c93a403dabb9c704

Download Submit
C:\VidEF\dobdevloc.exe

Filesize
3.1MB

MD5
795875ca5df7c54aae7dfb94827db10f

SHA1
7f2f5c104d6d94bdecb9981b7ed9505c2839e6a9

SHA256
dea78523b569048b83b45f0761cf00f83ff43eaea27d70a72aa30078641c14cc

SHA512
21181bab5b46902ab129c00efee21bccb2d3b2459edc78a5891a828a134a9bb5e3641255898dd7c2c9e968145e142012981950b6ccc204a2c9d85f0654abcee6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
3.1MB

MD5
c1d3834b878ef0cceaf166f9556c3d2c

SHA1
8daa4526f86906592f11814edf5290deb38585cb

SHA256
fc10d6c3cbb1fc68343e01abdf7a98070501d87777200be1402658cc9d8a8ba9

SHA512
43786fc73eac1f4bf4b3a737a4d1c6430e1d7bee968d8cadab7b79ec201cf099351eb728c0272666f7a59b7894daac4fc41dae8363b454ab64b80f620ea89e47

Download Submit