9f56bf5fd1df646809d9046759bf412e879388aac65c9810662c762220a7f455

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 02:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53b2c5a02dc416a87573fcc9c7afd720_NeikiAnalytics.exe
Size

3.9MB
MD5

53b2c5a02dc416a87573fcc9c7afd720
SHA1

008c36871eeae3628af5c1c6dc6133f106f3304f
SHA256

9f56bf5fd1df646809d9046759bf412e879388aac65c9810662c762220a7f455
SHA512

bd0229707a4b93974757cf926e533a27e57e73f4cefe6a6576e279143690e646310568fcdb2fd0d7acc0fc0db0f7beb120517930dccb30205375909f9cd89119
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSqz8:sxX7QnxrloE5dpUpWbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	53b2c5a02dc416a87573fcc9c7afd720_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4628	ecxopti.exe
1964	adobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocGY\\adobsys.exe"	53b2c5a02dc416a87573fcc9c7afd720_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintUR\\bodaec.exe"	53b2c5a02dc416a87573fcc9c7afd720_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4768	53b2c5a02dc416a87573fcc9c7afd720_NeikiAnalytics.exe
4768	53b2c5a02dc416a87573fcc9c7afd720_NeikiAnalytics.exe
4768	53b2c5a02dc416a87573fcc9c7afd720_NeikiAnalytics.exe
4768	53b2c5a02dc416a87573fcc9c7afd720_NeikiAnalytics.exe
4628	ecxopti.exe
4628	ecxopti.exe
1964	adobsys.exe
1964	adobsys.exe
4628	ecxopti.exe
4628	ecxopti.exe
1964	adobsys.exe
1964	adobsys.exe
4628	ecxopti.exe
4628	ecxopti.exe
1964	adobsys.exe
1964	adobsys.exe
4628	ecxopti.exe
4628	ecxopti.exe
1964	adobsys.exe
1964	adobsys.exe
4628	ecxopti.exe
4628	ecxopti.exe
1964	adobsys.exe
1964	adobsys.exe
4628	ecxopti.exe
4628	ecxopti.exe
1964	adobsys.exe
1964	adobsys.exe
4628	ecxopti.exe
4628	ecxopti.exe
1964	adobsys.exe
1964	adobsys.exe
4628	ecxopti.exe
4628	ecxopti.exe
1964	adobsys.exe
1964	adobsys.exe
4628	ecxopti.exe
4628	ecxopti.exe
1964	adobsys.exe
1964	adobsys.exe
4628	ecxopti.exe
4628	ecxopti.exe
1964	adobsys.exe
1964	adobsys.exe
4628	ecxopti.exe
4628	ecxopti.exe
1964	adobsys.exe
1964	adobsys.exe
4628	ecxopti.exe
4628	ecxopti.exe
1964	adobsys.exe
1964	adobsys.exe
4628	ecxopti.exe
4628	ecxopti.exe
1964	adobsys.exe
1964	adobsys.exe
4628	ecxopti.exe
4628	ecxopti.exe
1964	adobsys.exe
1964	adobsys.exe
4628	ecxopti.exe
4628	ecxopti.exe
1964	adobsys.exe
1964	adobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 4628	4768	53b2c5a02dc416a87573fcc9c7afd720_NeikiAnalytics.exe	92
PID 4768 wrote to memory of 4628	4768	53b2c5a02dc416a87573fcc9c7afd720_NeikiAnalytics.exe	92
PID 4768 wrote to memory of 4628	4768	53b2c5a02dc416a87573fcc9c7afd720_NeikiAnalytics.exe	92
PID 4768 wrote to memory of 1964	4768	53b2c5a02dc416a87573fcc9c7afd720_NeikiAnalytics.exe	93
PID 4768 wrote to memory of 1964	4768	53b2c5a02dc416a87573fcc9c7afd720_NeikiAnalytics.exe	93
PID 4768 wrote to memory of 1964	4768	53b2c5a02dc416a87573fcc9c7afd720_NeikiAnalytics.exe	93

C:\Users\Admin\AppData\Local\Temp\53b2c5a02dc416a87573fcc9c7afd720_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\53b2c5a02dc416a87573fcc9c7afd720_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4628
- C:\IntelprocGY\adobsys.exe
  C:\IntelprocGY\adobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocGY\adobsys.exe

Filesize
3.9MB

MD5
3e1808eaae209ea9d22c3c3f277ad296

SHA1
d9610f83c5bde4b305e9f54bb1cfcf40d7993412

SHA256
84018adc82ad94aa43903893e804f8e10ec53587a838fe709dcad9f9d4a4c040

SHA512
174b68f4034dc040a7ea253feaa7ac2b7a562706ff48e35c56019e4f680d344b99f43073f59804f7d24a068cd547f12fd8dc07e855d37f9b6d40214485e6a506

Download Submit
C:\MintUR\bodaec.exe

Filesize
3.7MB

MD5
d52134dc2836b6dc32e3acde22865a46

SHA1
41fd88b6cead1c962d0b9f265ce6f9a7a00c4422

SHA256
219671206271c62f3e6b95bfb47a401e4b7e820f2f47c8c71fc4c1d7d7fc6834

SHA512
e34a0882efeba5cbcf25029ab9e64c049dd42664e1f17c35d810fd31d8fe0c8a8200a33b9f686f4c2167a320c4cac4b1a9aa65ba9b2edaafca7e21a3d931fd70

Download Submit
C:\MintUR\bodaec.exe

Filesize
3.9MB

MD5
2a0a04e3044c7a40a9fb122de6f7c142

SHA1
4117f085430cdd723e58a08b477af236e0037634

SHA256
57c94ae43e4d69a550c9f669dc1ef19b6a3650bd62619a5b7686cdf0b39dcdf9

SHA512
dd2d6d178293863bf2c8bd1a2809a37e685605a3da541b73a969ef63449662dd60274e241c81e0c2737c339a8f7ff0b39cbef5887917835317df3227afb98668

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
3cb1b4d4a68d1656c78169859515d7cb

SHA1
534a9f92619f6fcd6165c369c61447ac50d71eb2

SHA256
57a6f9269503ce7961491152a5d088f4a0c1d69d8f2a8d63029243eebbf71cf8

SHA512
4f2426804f6f7f1315e40086d75bf1f5ab991cbeed012abb022846ce22c53f3ba36ae092240880790f781af2676c8d6061ac907f42a566147eaf955cf92bf58b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
7016aa9d0c8366793b49bc845d7065ce

SHA1
ffd9e67a303afb860742b31ce9577d30f546781a

SHA256
61db968b173265ef1d228f7762e2c72dbe45938f54e0958bf99b5b49811c42cc

SHA512
632b6b42f2bde110ac71398196f130cd0dce81a404516709c73c1bc9cd2c541a048bd190d8822496a31427ebbfedf247e70ef64906eff5730e5caca8f4c5d510

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
3.9MB

MD5
189f781b1411343979176b3a5bc98a93

SHA1
816df6a6bf40e7f93c7b09ada8a995f59ff8eb6c

SHA256
662608721f8eac9f760b21de57e46daf7e0b51dfdbd0f21a33288d5bdf66f142

SHA512
42b7fea32814b191022cd15989d8763075c022cca8cf2d2c356a310472c3c41b5c4d722b3933ffd6b62aacfaa33dff17d51e61603f55645ec122096672747615

Download Submit