e6b8d0a1dd709f2f56dbb21dc03913ad9efa7ebf7e2fd21805956d1a95f56bd6

Analysis

max time kernel
149s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe
Size

2.6MB
MD5

1472ede8b6ff7b8953f3a03087c432d0
SHA1

5dbcfc62a26e8e8097c78451d228c552c2264224
SHA256

e6b8d0a1dd709f2f56dbb21dc03913ad9efa7ebf7e2fd21805956d1a95f56bd6
SHA512

02e1b866518e5c1c281308b44b5293a58b6f60be2df1937a60e2fe06f4ee142d9c2c137caf7568d7754c35a2a81f488ab9ec3f3fb3c841e5fe8e43f76e0dbbfa
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bS:sxX7QnxrloE5dpUpSb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4724	ecabod.exe
2636	xdobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesZ6\\xdobec.exe"	1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZBB\\optiaec.exe"	1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2420	1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe
2420	1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe
2420	1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe
2420	1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe
4724	ecabod.exe
4724	ecabod.exe
2636	xdobec.exe
2636	xdobec.exe
4724	ecabod.exe
4724	ecabod.exe
2636	xdobec.exe
2636	xdobec.exe
4724	ecabod.exe
4724	ecabod.exe
2636	xdobec.exe
2636	xdobec.exe
4724	ecabod.exe
4724	ecabod.exe
2636	xdobec.exe
2636	xdobec.exe
4724	ecabod.exe
4724	ecabod.exe
2636	xdobec.exe
2636	xdobec.exe
4724	ecabod.exe
4724	ecabod.exe
2636	xdobec.exe
2636	xdobec.exe
4724	ecabod.exe
4724	ecabod.exe
2636	xdobec.exe
2636	xdobec.exe
4724	ecabod.exe
4724	ecabod.exe
2636	xdobec.exe
2636	xdobec.exe
4724	ecabod.exe
4724	ecabod.exe
2636	xdobec.exe
2636	xdobec.exe
4724	ecabod.exe
4724	ecabod.exe
2636	xdobec.exe
2636	xdobec.exe
4724	ecabod.exe
4724	ecabod.exe
2636	xdobec.exe
2636	xdobec.exe
4724	ecabod.exe
4724	ecabod.exe
2636	xdobec.exe
2636	xdobec.exe
4724	ecabod.exe
4724	ecabod.exe
2636	xdobec.exe
2636	xdobec.exe
4724	ecabod.exe
4724	ecabod.exe
2636	xdobec.exe
2636	xdobec.exe
4724	ecabod.exe
4724	ecabod.exe
2636	xdobec.exe
2636	xdobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 4724	2420	1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe	88
PID 2420 wrote to memory of 4724	2420	1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe	88
PID 2420 wrote to memory of 4724	2420	1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe	88
PID 2420 wrote to memory of 2636	2420	1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe	89
PID 2420 wrote to memory of 2636	2420	1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe	89
PID 2420 wrote to memory of 2636	2420	1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4724
- C:\FilesZ6\xdobec.exe
  C:\FilesZ6\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesZ6\xdobec.exe

Filesize
2.6MB

MD5
1b6fd635ea1bf0b5fc9f00db3fecca75

SHA1
474ab5710c020d7fa8ed1629d97055607ad9d3cd

SHA256
1db7c05e5e0a9de687d5d133ddbc21b111ae41332da2ee3dbec9f35175a38332

SHA512
4af7a1ca7ec135f3154123356c95c0d5d12e3a52ac8ee705c176d7560b8cff36b6bd0d51daf964071ff16a4259218a2196666e6be6cce87a6e16a65a66293f02

Download Submit
C:\LabZBB\optiaec.exe

Filesize
248KB

MD5
d0b3df313f82344e1180ff0b0bfcf117

SHA1
591e467d5f1450d2b037ee766d1a26823b890659

SHA256
418d4d375962a9de4518b75cd2a52a1f64d44e80f52bc51b871e18046d01cfe7

SHA512
a566bb60e531a3eb361f04d029145caccfe901fc1c22a63031a4bf3a1044e957845771b8b9aa1b1d6331d11530f6ce5c87cd4aa74e1720fddcb13b0972075858

Download Submit
C:\LabZBB\optiaec.exe

Filesize
129KB

MD5
80652891ec338b18fd9461c1a2a5efa6

SHA1
53fc387ed3b1b29d65ce9674b7307be451e40dfc

SHA256
c0589b176fba559622f2915692c45b40450d220cecc81257f8634ec90fc7263c

SHA512
03bfe11893a1851210a1753368ed7c73514afbd8a9ee4325bc4df4c395212d25989cf3b1b8332b207970cc4f966a43bf5edb64f1af3594e9102c39990a1144f5

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
198B

MD5
6bd9cf7fe2e1946eaddd8a987e9106f9

SHA1
62f44fec22d501b5348c50ba7bd7a8a314464010

SHA256
bc69270691f8a82302246408b9bb3c3a0e7be9ba417ba00ee1451c84893a713e

SHA512
2ca79e545ac6029bac4b91ca2393c3cd090937686698421a0ae36c69342f2d59a13c650db59334f6624c2b4942bc7fe42bdb9d1fd748f64d669f850c5dff8c56

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
166B

MD5
7cb15694dc0de4e89616e8b006fdcae6

SHA1
d34e9fb3cb39b9d3d4c9e558fe724794f66e54af

SHA256
da3a372cda2db1e576b2b1e5d66998d57fc406f7c9b4c7651913e7bd98d3b5d8

SHA512
f9ec0139591d284e0e55d565551fc02b6b3df9dae91f1b914a0cfba3398dbb7c6e18ac624871e05d0a79ec2878f93234b401fdc3e6946a78212c808fba680477

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

Filesize
2.6MB

MD5
c5de1d26dea0f733bbbf5010631580b5

SHA1
139d2a77f2c9ea8ac34bdba7938a9513cf15b514

SHA256
618ae80888afc9b0661a35feea82c83909c676cf88c0878d15647f1b8fe8ba3b

SHA512
d292a59b53c78c42db9d0a462cc9dc461c42b13404e949c5bf3daee35634edbce73e223918a4b77fde4b1f8566096a308f4066e531955a6d27cbbdb42b3d131b

Download Submit