58fe782d9fee684e127a26e92a196a8da58b18389ca155e06ec178fc904acecc

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0242f400cd72d0e6a96cd0d5ae5ab300_NeikiAnalytics.exe
Size

2.6MB
MD5

0242f400cd72d0e6a96cd0d5ae5ab300
SHA1

81956b6d0677bd5592de6a5a51c49443dc3250a0
SHA256

58fe782d9fee684e127a26e92a196a8da58b18389ca155e06ec178fc904acecc
SHA512

ad71e29f1a3a8f651dfc8d8e6d4070c3ee1d2515bfed80a20b853e6b64e6a5855359a8754a44d538e4801345c90d311fa2fede8bb9ff9f24d40a597f5c21f577
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBCB/bS:sxX7QnxrloE5dpUphb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	0242f400cd72d0e6a96cd0d5ae5ab300_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2160	ecxopti.exe
2132	devdobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2116	0242f400cd72d0e6a96cd0d5ae5ab300_NeikiAnalytics.exe
2116	0242f400cd72d0e6a96cd0d5ae5ab300_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files3M\\devdobloc.exe"	0242f400cd72d0e6a96cd0d5ae5ab300_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ37\\dobaloc.exe"	0242f400cd72d0e6a96cd0d5ae5ab300_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2116	0242f400cd72d0e6a96cd0d5ae5ab300_NeikiAnalytics.exe
2116	0242f400cd72d0e6a96cd0d5ae5ab300_NeikiAnalytics.exe
2160	ecxopti.exe
2132	devdobloc.exe
2160	ecxopti.exe
2132	devdobloc.exe
2160	ecxopti.exe
2132	devdobloc.exe
2160	ecxopti.exe
2132	devdobloc.exe
2160	ecxopti.exe
2132	devdobloc.exe
2160	ecxopti.exe
2132	devdobloc.exe
2160	ecxopti.exe
2132	devdobloc.exe
2160	ecxopti.exe
2132	devdobloc.exe
2160	ecxopti.exe
2132	devdobloc.exe
2160	ecxopti.exe
2132	devdobloc.exe
2160	ecxopti.exe
2132	devdobloc.exe
2160	ecxopti.exe
2132	devdobloc.exe
2160	ecxopti.exe
2132	devdobloc.exe
2160	ecxopti.exe
2132	devdobloc.exe
2160	ecxopti.exe
2132	devdobloc.exe
2160	ecxopti.exe
2132	devdobloc.exe
2160	ecxopti.exe
2132	devdobloc.exe
2160	ecxopti.exe
2132	devdobloc.exe
2160	ecxopti.exe
2132	devdobloc.exe
2160	ecxopti.exe
2132	devdobloc.exe
2160	ecxopti.exe
2132	devdobloc.exe
2160	ecxopti.exe
2132	devdobloc.exe
2160	ecxopti.exe
2132	devdobloc.exe
2160	ecxopti.exe
2132	devdobloc.exe
2160	ecxopti.exe
2132	devdobloc.exe
2160	ecxopti.exe
2132	devdobloc.exe
2160	ecxopti.exe
2132	devdobloc.exe
2160	ecxopti.exe
2132	devdobloc.exe
2160	ecxopti.exe
2132	devdobloc.exe
2160	ecxopti.exe
2132	devdobloc.exe
2160	ecxopti.exe
2132	devdobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2160	2116	0242f400cd72d0e6a96cd0d5ae5ab300_NeikiAnalytics.exe	28
PID 2116 wrote to memory of 2160	2116	0242f400cd72d0e6a96cd0d5ae5ab300_NeikiAnalytics.exe	28
PID 2116 wrote to memory of 2160	2116	0242f400cd72d0e6a96cd0d5ae5ab300_NeikiAnalytics.exe	28
PID 2116 wrote to memory of 2160	2116	0242f400cd72d0e6a96cd0d5ae5ab300_NeikiAnalytics.exe	28
PID 2116 wrote to memory of 2132	2116	0242f400cd72d0e6a96cd0d5ae5ab300_NeikiAnalytics.exe	29
PID 2116 wrote to memory of 2132	2116	0242f400cd72d0e6a96cd0d5ae5ab300_NeikiAnalytics.exe	29
PID 2116 wrote to memory of 2132	2116	0242f400cd72d0e6a96cd0d5ae5ab300_NeikiAnalytics.exe	29
PID 2116 wrote to memory of 2132	2116	0242f400cd72d0e6a96cd0d5ae5ab300_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\0242f400cd72d0e6a96cd0d5ae5ab300_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0242f400cd72d0e6a96cd0d5ae5ab300_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2160
- C:\Files3M\devdobloc.exe
  C:\Files3M\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files3M\devdobloc.exe

Filesize
866KB

MD5
bcebaa30b2005d91b18fbd426ca7a772

SHA1
a1915837ff9079517deaa4547b0ac0e8e9334d6b

SHA256
253c9fb18cb9b9454143f71834721036a42cd46b8b954336aeab507d52be3a7d

SHA512
b219e5a5ef6f258c46c81618ff7d8203531e6ffc75b8f40e1cae6f257d2f4f9777f44dd16f802c3963bd64ab6fa9ccf165acdefca38d19d662dd47c7b5b3543f

Download Submit
C:\LabZ37\dobaloc.exe

Filesize
8KB

MD5
b6a3be42755c871ed4a546b6cfb8e5e8

SHA1
45db3ee8541418f154843d4a791071b3c3c65177

SHA256
1b3fa51ede60d19459b442b532eb4b1d11097bb17170bf5ee14f3ea9b861a657

SHA512
a8da5f15c36d992cfc7ca775a317e0993eb466cea69d4ada5e081faf4966bd49fffeba4f7da600f3f85df157c088f8a8667bf63290d81e9aec5b08b27cd1e42e

Download Submit
C:\LabZ37\dobaloc.exe

Filesize
2.6MB

MD5
feacc5dfe31893d6e8f2d67e7cf0ee36

SHA1
dab8e2f403cca9bbb7aca3a3b9dd1b4dad04978a

SHA256
18556be5fcf57191f1736c10682deee29b572e262d89da8ebc924573def78db3

SHA512
210d6b435da439a1656f3f8c7cbc4c4bd056cd56f4ec6e9bbe322415663ae280d90b0464c63eb61e52b92f7a20d7298cbfd5f7e52b7fce7b657689b89a0d3622

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
52e8fa27bedc1f5b379b8546c07e5dad

SHA1
8eee199aee035e72bd2114c02b0e195a7c67ff64

SHA256
fd19adbbb8aad04ac4f54cc6dcfefb44d1faed90f97f87b50501009782baf80e

SHA512
2bfd819c60bfbfe78e882d18ddb61e238399eb80d8b88d566deb3cd5e9befeb151b828e7a873a6f1b19c9c62c8c8dd749e617c1299564a79efa7b47dadc9f364

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
77d1598a4fbeff7e6acd2f1d93f44d2d

SHA1
062920300b950cda480e0f8901ac841afd6450df

SHA256
dbb5ef1055f529b0de123c21d986c2b1b6d038fc11dda6c3d5290ff4e1a86dbb

SHA512
e230eaa9859461f12f7d8cc1198e185edf602f0d66d6b2926c62bdc519ccce32b0aaecc6953aa3183abf6782547b4c42f2d575f9e95c273bf7e91e746b0b3c78

Download Submit
\Files3M\devdobloc.exe

Filesize
2.6MB

MD5
b5a5879953950cac0635050135009cce

SHA1
8837ff90774503ffa2f5a1c7054d093da5c17f42

SHA256
e97fb40ea8a363b14c82f05279b737c81cb62eb5f4f9902cf914af49e8ff5a29

SHA512
1f47987f4f979675090e5de9b20bb79b36f4e4a5868d65e8b026f7c7751dee49e6c13dab8b2015d89ca45b8aeeab01a45d53755fb5c0d45a04b0a7343edf56cc

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
2.6MB

MD5
2785d4d0e3f81be8d7d4ba71a32a1166

SHA1
4cad3162cc86eca4f29c73b14c43fbb86713244b

SHA256
6ace95917036499660f8a6a6f354533e952f86274095ddc09de2fed1c86607c7

SHA512
b8f749aa5ac6df89b44e0bfce97f25a9f6fcde5361d07ab8ed581f6e502dc93022d380ed7c296c51d0c5ff387458791ac3a57b651717a29447cac8431319ee5e

Download Submit