971d73711d48b0af290dcab562eb1e2cbfae6521bad85662266a7d2208e7d3a9

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cd7f3c8e52e5b385a05db4620a0a810_NeikiAnalytics.exe
Size

3.1MB
MD5

0cd7f3c8e52e5b385a05db4620a0a810
SHA1

ab3f91c72f0a28555fa498ad7df295cadb81a5c4
SHA256

971d73711d48b0af290dcab562eb1e2cbfae6521bad85662266a7d2208e7d3a9
SHA512

6e37b8b8588fb0f31914f0e167141edea861d6a0891ed8321437f4673f7899007df28ae2ddeccacb3beb43306070c76995e774142ef9844c1e53705ca72446bd
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bSqz8:sxX7QnxrloE5dpUpBbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	0cd7f3c8e52e5b385a05db4620a0a810_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
3984	ecdevdob.exe
4568	devoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotXA\\devoptisys.exe"	0cd7f3c8e52e5b385a05db4620a0a810_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZIG\\dobxec.exe"	0cd7f3c8e52e5b385a05db4620a0a810_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2792	0cd7f3c8e52e5b385a05db4620a0a810_NeikiAnalytics.exe
2792	0cd7f3c8e52e5b385a05db4620a0a810_NeikiAnalytics.exe
2792	0cd7f3c8e52e5b385a05db4620a0a810_NeikiAnalytics.exe
2792	0cd7f3c8e52e5b385a05db4620a0a810_NeikiAnalytics.exe
3984	ecdevdob.exe
3984	ecdevdob.exe
4568	devoptisys.exe
4568	devoptisys.exe
3984	ecdevdob.exe
3984	ecdevdob.exe
4568	devoptisys.exe
4568	devoptisys.exe
3984	ecdevdob.exe
3984	ecdevdob.exe
4568	devoptisys.exe
4568	devoptisys.exe
3984	ecdevdob.exe
3984	ecdevdob.exe
4568	devoptisys.exe
4568	devoptisys.exe
3984	ecdevdob.exe
3984	ecdevdob.exe
4568	devoptisys.exe
4568	devoptisys.exe
3984	ecdevdob.exe
3984	ecdevdob.exe
4568	devoptisys.exe
4568	devoptisys.exe
3984	ecdevdob.exe
3984	ecdevdob.exe
4568	devoptisys.exe
4568	devoptisys.exe
3984	ecdevdob.exe
3984	ecdevdob.exe
4568	devoptisys.exe
4568	devoptisys.exe
3984	ecdevdob.exe
3984	ecdevdob.exe
4568	devoptisys.exe
4568	devoptisys.exe
3984	ecdevdob.exe
3984	ecdevdob.exe
4568	devoptisys.exe
4568	devoptisys.exe
3984	ecdevdob.exe
3984	ecdevdob.exe
4568	devoptisys.exe
4568	devoptisys.exe
3984	ecdevdob.exe
3984	ecdevdob.exe
4568	devoptisys.exe
4568	devoptisys.exe
3984	ecdevdob.exe
3984	ecdevdob.exe
4568	devoptisys.exe
4568	devoptisys.exe
3984	ecdevdob.exe
3984	ecdevdob.exe
4568	devoptisys.exe
4568	devoptisys.exe
3984	ecdevdob.exe
3984	ecdevdob.exe
4568	devoptisys.exe
4568	devoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 3984	2792	0cd7f3c8e52e5b385a05db4620a0a810_NeikiAnalytics.exe	86
PID 2792 wrote to memory of 3984	2792	0cd7f3c8e52e5b385a05db4620a0a810_NeikiAnalytics.exe	86
PID 2792 wrote to memory of 3984	2792	0cd7f3c8e52e5b385a05db4620a0a810_NeikiAnalytics.exe	86
PID 2792 wrote to memory of 4568	2792	0cd7f3c8e52e5b385a05db4620a0a810_NeikiAnalytics.exe	87
PID 2792 wrote to memory of 4568	2792	0cd7f3c8e52e5b385a05db4620a0a810_NeikiAnalytics.exe	87
PID 2792 wrote to memory of 4568	2792	0cd7f3c8e52e5b385a05db4620a0a810_NeikiAnalytics.exe	87

C:\Users\Admin\AppData\Local\Temp\0cd7f3c8e52e5b385a05db4620a0a810_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0cd7f3c8e52e5b385a05db4620a0a810_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3984
- C:\UserDotXA\devoptisys.exe
  C:\UserDotXA\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZIG\dobxec.exe

Filesize
256B

MD5
bae5eb085a9f023b8d36e2a083933bdd

SHA1
c8f3b383d6ce74e8606027a03db4b0ae08c513b1

SHA256
b505b72bbec0ac5ef11559a9e1cd5d9b176f6b03b0dc9296023c144e105605ab

SHA512
93d15b5bec81644cf4030f24c5941cb76efb1e539e47e25ee9c722db4b1b52b8ec129fef26b9080ad23fe6b7d1f0752e3a263040aa5557656967acd4d5e485f3

Download Submit
C:\LabZIG\dobxec.exe

Filesize
3.1MB

MD5
348edb98c9c10dcace4a82a65368f9e6

SHA1
8a2d78e62a03da5304233a4f1076ad3a88adf14a

SHA256
b36f89f9de2140ca93bd458aab740df6f884eae195b1a4934149e62143ece203

SHA512
4d316443494737d13d635458c47bba0a93131046a4b8ba37739810d3eba1b3334c8d91582dfd9b5a3885dc4d45cdd482d144a1e080e8bdf1c813043cbfa361ad

Download Submit
C:\UserDotXA\devoptisys.exe

Filesize
707KB

MD5
7d577cb6f8175e159d632b91ba9e8761

SHA1
00f482ef2d73525e0250f915c171cb00d88ffcde

SHA256
ede43da5bbdcdbc544f7d5e1cff5712ae0cffe57a693e341d255e5bfdf4c282a

SHA512
b5070ad793e750c13bc8b66df09864da2c26c79752f88a2d45bd7c0cf6d134fb894f023a09eebca426931043809efa622bdbc4cda9147f4dc791f0f3be74bbb6

Download Submit
C:\UserDotXA\devoptisys.exe

Filesize
3.1MB

MD5
b8d6a30cfe36c28a3e46cc298be1feca

SHA1
95cb9b7aa7182ed97582ec58e687dffeac0ab949

SHA256
e6c488be096c1ab4cd743e88e34a54bffc8cfbe0736d0124aa0446acbd7147b9

SHA512
5c92f158daf82a9e4376cb7098016f283044fee886a1213bc023da9eb82a67b0e7aee50ab9435ece0cf350f413f0d7d78c3eec3d2a5fb00c489ae8ba4cab9be6

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
783665d321d8e0c93d2198499d9c4c58

SHA1
e55d33d26cfc605797059cb757f21cdbee1a4e9e

SHA256
9d3b6ddb769296ebf49b5abc49680287331893e72ff61c0d8bae6b36810929c8

SHA512
d95e4501f7c2e4f53ee410c0582bb48c8cac109010a1448de8b3281f9326f2300223b6baff2c1fd6640ad162eb9ff5262311bf8c49d04b1f9d2b1feac4d3ae49

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
17bed70ec86aa3405064c6e629e549b2

SHA1
c8f2f7832560dedd6f75cdd25b23fb1a45f60cd0

SHA256
950326c84dd05c43bac56e8da31a99915c71849319c97e80cb3e6101fe4f9106

SHA512
de5bdbd2a181e603897e40bb38540bd03f9792e6dfd4192b1550d18e0c86f977ee3bf9c80fb4e311aa67c729d0791069728af2ab41f251f22925ad788789592a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
3.1MB

MD5
a744ce27551c1d9f6b75122d0a470461

SHA1
bcf6d90a68a98a7c609ff3e39de91c231ddc19b4

SHA256
e32f3de3fa811cb97a3840f12f6a920a100b5a2d4dc912421ec2d68c96a8c8b6

SHA512
e7870d247c2814d7b515856370e7241062300315264fcbdf41c553993e811c6302cb11ade574b7d4c9496b23497c92c3c86125eeeeda27a15047708c5a044476

Download Submit