330a12b48d60e6e7e43cbf588dd0e35155eab9b1277ea07588e224bd81fde413

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/05/2024, 07:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

24ca8c0247bb93b6f17a951bbe2f1eb0_NeikiAnalytics.exe
Size

3.1MB
MD5

24ca8c0247bb93b6f17a951bbe2f1eb0
SHA1

fbcda89e0df0ddf5ccae70cd622a64288e88899e
SHA256

330a12b48d60e6e7e43cbf588dd0e35155eab9b1277ea07588e224bd81fde413
SHA512

561d60437083bd57d53c4caaab8c9b67c827e936faf1669c39b04526ddbbf8b6e392f2d038ef29ca9a877e626668cc70205938e00fae557c0acff7ba299e7080
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB6B/bSqz8b6LNXJqI:sxX7QnxrloE5dpUptbVz8eLFc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	24ca8c0247bb93b6f17a951bbe2f1eb0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2172	locdevdob.exe
2112	xdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2352	24ca8c0247bb93b6f17a951bbe2f1eb0_NeikiAnalytics.exe
2352	24ca8c0247bb93b6f17a951bbe2f1eb0_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint97\\optiaec.exe"	24ca8c0247bb93b6f17a951bbe2f1eb0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot4X\\xdobsys.exe"	24ca8c0247bb93b6f17a951bbe2f1eb0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2352	24ca8c0247bb93b6f17a951bbe2f1eb0_NeikiAnalytics.exe
2352	24ca8c0247bb93b6f17a951bbe2f1eb0_NeikiAnalytics.exe
2172	locdevdob.exe
2112	xdobsys.exe
2172	locdevdob.exe
2112	xdobsys.exe
2172	locdevdob.exe
2112	xdobsys.exe
2172	locdevdob.exe
2112	xdobsys.exe
2172	locdevdob.exe
2112	xdobsys.exe
2172	locdevdob.exe
2112	xdobsys.exe
2172	locdevdob.exe
2112	xdobsys.exe
2172	locdevdob.exe
2112	xdobsys.exe
2172	locdevdob.exe
2112	xdobsys.exe
2172	locdevdob.exe
2112	xdobsys.exe
2172	locdevdob.exe
2112	xdobsys.exe
2172	locdevdob.exe
2112	xdobsys.exe
2172	locdevdob.exe
2112	xdobsys.exe
2172	locdevdob.exe
2112	xdobsys.exe
2172	locdevdob.exe
2112	xdobsys.exe
2172	locdevdob.exe
2112	xdobsys.exe
2172	locdevdob.exe
2112	xdobsys.exe
2172	locdevdob.exe
2112	xdobsys.exe
2172	locdevdob.exe
2112	xdobsys.exe
2172	locdevdob.exe
2112	xdobsys.exe
2172	locdevdob.exe
2112	xdobsys.exe
2172	locdevdob.exe
2112	xdobsys.exe
2172	locdevdob.exe
2112	xdobsys.exe
2172	locdevdob.exe
2112	xdobsys.exe
2172	locdevdob.exe
2112	xdobsys.exe
2172	locdevdob.exe
2112	xdobsys.exe
2172	locdevdob.exe
2112	xdobsys.exe
2172	locdevdob.exe
2112	xdobsys.exe
2172	locdevdob.exe
2112	xdobsys.exe
2172	locdevdob.exe
2112	xdobsys.exe
2172	locdevdob.exe
2112	xdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2172	2352	24ca8c0247bb93b6f17a951bbe2f1eb0_NeikiAnalytics.exe	28
PID 2352 wrote to memory of 2172	2352	24ca8c0247bb93b6f17a951bbe2f1eb0_NeikiAnalytics.exe	28
PID 2352 wrote to memory of 2172	2352	24ca8c0247bb93b6f17a951bbe2f1eb0_NeikiAnalytics.exe	28
PID 2352 wrote to memory of 2172	2352	24ca8c0247bb93b6f17a951bbe2f1eb0_NeikiAnalytics.exe	28
PID 2352 wrote to memory of 2112	2352	24ca8c0247bb93b6f17a951bbe2f1eb0_NeikiAnalytics.exe	29
PID 2352 wrote to memory of 2112	2352	24ca8c0247bb93b6f17a951bbe2f1eb0_NeikiAnalytics.exe	29
PID 2352 wrote to memory of 2112	2352	24ca8c0247bb93b6f17a951bbe2f1eb0_NeikiAnalytics.exe	29
PID 2352 wrote to memory of 2112	2352	24ca8c0247bb93b6f17a951bbe2f1eb0_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\24ca8c0247bb93b6f17a951bbe2f1eb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\24ca8c0247bb93b6f17a951bbe2f1eb0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2172
- C:\UserDot4X\xdobsys.exe
  C:\UserDot4X\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint97\optiaec.exe

Filesize
1.4MB

MD5
1846af9e8b55558541978d7c56478edb

SHA1
547f27f580ed217db608fc58faecb1dcb3b7543b

SHA256
7c6db1f5dd41aba0b5ee24e4372b0e3cf316d0b24b7ccdf6d15f3d773aa5b4dd

SHA512
863a883ee684a9eca2ce85aa2a2cdeae7c5dbaad9776f5795f2cdc6cba19fbd24e571c2981520079bd260f48dcffc8b1f42a9d9f65c2582894b1d60f6e94df9b

Download Submit
C:\Mint97\optiaec.exe

Filesize
3.1MB

MD5
385c5eaa711bbbbb8b03a81fbf3ecded

SHA1
9dac8816e4ed476cdb85c95c2acbcca623755d9a

SHA256
12a36c228a5b9fa2be5f982e23ad52c9bc09cd7a3e69db5a96b969a3fe4a7000

SHA512
2527f225459e7af9b3c8a927b1e3afb2e56f18e4b87aa5cd6aa24a5c5d93c50a554bd27f4831c88c73a2c375990fa31f0ac0d31a9b037fb7bf24514070b8ffb0

Download Submit
C:\UserDot4X\xdobsys.exe

Filesize
3.1MB

MD5
caf3030e6a68ae3c6c0a56a0cb5c252c

SHA1
55ec200149e53afe552b7262d8fa777ffb147686

SHA256
3abf419c081e68e1dde67f4a96f4b7117bf0602b5a386a3a0c1f5a30eb87feb8

SHA512
41e130a6c0c1a7d1b093ee153fe103cf2a712a4f04b5f26568866ed8ade78132c682f33ad7d0f542e672fc4f07fed0557705095ae6fb1785ff4ea351cf786148

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
260beb2db3588c83f2bc4ecfa699e129

SHA1
b0d926146a4efea8d8d70acaf1743f29ae16e1c5

SHA256
a14c1ea3aaa108f962fb8f3ce79cf6af8f1171c91ba353e8594f2be0c06e007e

SHA512
5776a376c2fd63aee513d35aa1a7387536d240d32bb41aea91854579ae369545999a4fa44972fc512ccf9d05db90bc4e9afc90e00abf98c56fbc04167cb786a1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
79e97bde734b9f66dab4cd5d794ce085

SHA1
7fa015c7f1ab120a241eda2bc98566e883d08937

SHA256
ac21570ccc57cc1c02561dae3bf3e19a2ce8ff1d79d0f30b44a64e90cdb52b33

SHA512
e07d62e07fa6332c6fcaf101eb67595d7d2757f2498fd8bcbb8a9b84c8216fd69cc2f8e2a4111722d252bd762b1142a53182dd7dd68832b798c1ee1f7f505197

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
3.1MB

MD5
4899438c76c83e93b24c29a2a97e999c

SHA1
e8755b6a3355ff4fbd9969ecad76d5099b57fb4a

SHA256
2248aed301c364ee2a11d8bb8d9646d0630fcafec2e8ab00d9f9d6fb69720eff

SHA512
01fb6b462665ed4add8546c103b7a82bab5f22cc29968c85b3ac3334890b2ec32d3bc06f1c9c31d16fee732c78737d9179c7c441294e5b1b027330e8b38a5296

Download Submit