00f237e3b4809c5ba620c67e0caa28258c11195dfc78929f170f33fa21cc9bee

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c8392d86938cb428d0b2ff4053f7500_NeikiAnalytics.exe
Size

4.0MB
MD5

0c8392d86938cb428d0b2ff4053f7500
SHA1

c7fc0c454864e4f905e8eeb02499fef6b27ffe78
SHA256

00f237e3b4809c5ba620c67e0caa28258c11195dfc78929f170f33fa21cc9bee
SHA512

5934119cbababee7cfff025f1d8302b56dd707c495c4e05a055a3461f199d09910d22f71a5d1fddf5d3257bf6aedee77c28463dd396bb8203c41b395e4c5553d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB+B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUptbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	0c8392d86938cb428d0b2ff4053f7500_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1992	locdevdob.exe
3052	xdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2948	0c8392d86938cb428d0b2ff4053f7500_NeikiAnalytics.exe
2948	0c8392d86938cb428d0b2ff4053f7500_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot4X\\xdobsys.exe"	0c8392d86938cb428d0b2ff4053f7500_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint97\\optiaec.exe"	0c8392d86938cb428d0b2ff4053f7500_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2948	0c8392d86938cb428d0b2ff4053f7500_NeikiAnalytics.exe
2948	0c8392d86938cb428d0b2ff4053f7500_NeikiAnalytics.exe
1992	locdevdob.exe
3052	xdobsys.exe
1992	locdevdob.exe
3052	xdobsys.exe
1992	locdevdob.exe
3052	xdobsys.exe
1992	locdevdob.exe
3052	xdobsys.exe
1992	locdevdob.exe
3052	xdobsys.exe
1992	locdevdob.exe
3052	xdobsys.exe
1992	locdevdob.exe
3052	xdobsys.exe
1992	locdevdob.exe
3052	xdobsys.exe
1992	locdevdob.exe
3052	xdobsys.exe
1992	locdevdob.exe
3052	xdobsys.exe
1992	locdevdob.exe
3052	xdobsys.exe
1992	locdevdob.exe
3052	xdobsys.exe
1992	locdevdob.exe
3052	xdobsys.exe
1992	locdevdob.exe
3052	xdobsys.exe
1992	locdevdob.exe
3052	xdobsys.exe
1992	locdevdob.exe
3052	xdobsys.exe
1992	locdevdob.exe
3052	xdobsys.exe
1992	locdevdob.exe
3052	xdobsys.exe
1992	locdevdob.exe
3052	xdobsys.exe
1992	locdevdob.exe
3052	xdobsys.exe
1992	locdevdob.exe
3052	xdobsys.exe
1992	locdevdob.exe
3052	xdobsys.exe
1992	locdevdob.exe
3052	xdobsys.exe
1992	locdevdob.exe
3052	xdobsys.exe
1992	locdevdob.exe
3052	xdobsys.exe
1992	locdevdob.exe
3052	xdobsys.exe
1992	locdevdob.exe
3052	xdobsys.exe
1992	locdevdob.exe
3052	xdobsys.exe
1992	locdevdob.exe
3052	xdobsys.exe
1992	locdevdob.exe
3052	xdobsys.exe
1992	locdevdob.exe
3052	xdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 1992	2948	0c8392d86938cb428d0b2ff4053f7500_NeikiAnalytics.exe	28
PID 2948 wrote to memory of 1992	2948	0c8392d86938cb428d0b2ff4053f7500_NeikiAnalytics.exe	28
PID 2948 wrote to memory of 1992	2948	0c8392d86938cb428d0b2ff4053f7500_NeikiAnalytics.exe	28
PID 2948 wrote to memory of 1992	2948	0c8392d86938cb428d0b2ff4053f7500_NeikiAnalytics.exe	28
PID 2948 wrote to memory of 3052	2948	0c8392d86938cb428d0b2ff4053f7500_NeikiAnalytics.exe	29
PID 2948 wrote to memory of 3052	2948	0c8392d86938cb428d0b2ff4053f7500_NeikiAnalytics.exe	29
PID 2948 wrote to memory of 3052	2948	0c8392d86938cb428d0b2ff4053f7500_NeikiAnalytics.exe	29
PID 2948 wrote to memory of 3052	2948	0c8392d86938cb428d0b2ff4053f7500_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\0c8392d86938cb428d0b2ff4053f7500_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0c8392d86938cb428d0b2ff4053f7500_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1992
- C:\UserDot4X\xdobsys.exe
  C:\UserDot4X\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint97\optiaec.exe

Filesize
3.5MB

MD5
6b3e5eee45ffa6b23068da946819aa64

SHA1
ce933d23d09c5f7ff334a92ec239d95462ac1b08

SHA256
6ca343487e3c0abfa513a0bf7387d4f5f7d7934656f98b50a119472176116798

SHA512
ccbd5850a11edb158ae1b67034f8c6120c915d4955e54273192c3eb012a2636719c91a927ad7614dddeb0081405a867f994ca5a5135c3ddf13217e5032d16c0e

Download Submit
C:\Mint97\optiaec.exe

Filesize
4.0MB

MD5
5f2cba54c917edf63e80f6b758fa1ed8

SHA1
84640212d88896249fefb7edb3aad84469fd4df3

SHA256
a233f03cf67c19505f3f0c811db4173346118928a531cf1e64a114c05524a9ff

SHA512
bb01404c5ed004cfd8b52c6fa431d187ca904e4c2864500c69e49302449756f5d7f991e85f81dbfc682daa0901d2a85ec02d1d7cae9dd15db6fe7c9e0c1d4f1d

Download Submit
C:\UserDot4X\xdobsys.exe

Filesize
4.0MB

MD5
508b004af89dadc93e4338aef641c776

SHA1
72442e176a4bad46876e44feacc04514b7daa7e9

SHA256
e52487a22d6503e70869cd768edc27b9d4301a890e6af0c067625db9abe72e9d

SHA512
c7965fd91dc261eed682a2e2c9286081d3d149d7d760eae32ffeffd24339163aeca2d36706959d35476996914916707a0c0fc3038df81b6017767923eeaac00a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
260beb2db3588c83f2bc4ecfa699e129

SHA1
b0d926146a4efea8d8d70acaf1743f29ae16e1c5

SHA256
a14c1ea3aaa108f962fb8f3ce79cf6af8f1171c91ba353e8594f2be0c06e007e

SHA512
5776a376c2fd63aee513d35aa1a7387536d240d32bb41aea91854579ae369545999a4fa44972fc512ccf9d05db90bc4e9afc90e00abf98c56fbc04167cb786a1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
79e97bde734b9f66dab4cd5d794ce085

SHA1
7fa015c7f1ab120a241eda2bc98566e883d08937

SHA256
ac21570ccc57cc1c02561dae3bf3e19a2ce8ff1d79d0f30b44a64e90cdb52b33

SHA512
e07d62e07fa6332c6fcaf101eb67595d7d2757f2498fd8bcbb8a9b84c8216fd69cc2f8e2a4111722d252bd762b1142a53182dd7dd68832b798c1ee1f7f505197

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
4.0MB

MD5
868fceafcb20c5cecb15cab31a4be7c5

SHA1
3d2aede64f507e596507264382e49fa1425a5662

SHA256
3fecbf447f568511cae7ce94ecaf2f543de12af69cedcf3745fc6ba7f0a2c7d3

SHA512
f28359356ab46dc1f52cd980e01f66d39ba06e7938084c3d0b9b991e360c709048a01f7586f65dd32e9ca1642cca09c878b2fc5cbb12b4619651a4f44db7c94e

Download Submit