2f50f0145ef6b1fb9b67ab8c6b122b6d2db4ba3b4ef20ddeba73314ae8d43a38

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/05/2024, 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ee25b76e62fef2107e1a0731f2dcc00_NeikiAnalytics.exe
Size

3.6MB
MD5

2ee25b76e62fef2107e1a0731f2dcc00
SHA1

ec17ee2d4abfa0d48ab4790e1d838b806df5fd9f
SHA256

2f50f0145ef6b1fb9b67ab8c6b122b6d2db4ba3b4ef20ddeba73314ae8d43a38
SHA512

508427aad77bc905cb593b1332d035133b609d763378849f7f9f256ed51f891fb1d7d3cbcf708db8a069d7fb3c8bf04134a08fa45042cb5250dc6a8e390ea1b7
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB3B/bSqz8:sxX7QnxrloE5dpUpEbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	2ee25b76e62fef2107e1a0731f2dcc00_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2248	ecdevopti.exe
2620	devoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
1500	2ee25b76e62fef2107e1a0731f2dcc00_NeikiAnalytics.exe
1500	2ee25b76e62fef2107e1a0731f2dcc00_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files24\\devoptisys.exe"	2ee25b76e62fef2107e1a0731f2dcc00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ25\\dobdevec.exe"	2ee25b76e62fef2107e1a0731f2dcc00_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1500	2ee25b76e62fef2107e1a0731f2dcc00_NeikiAnalytics.exe
1500	2ee25b76e62fef2107e1a0731f2dcc00_NeikiAnalytics.exe
2248	ecdevopti.exe
2248	ecdevopti.exe
2620	devoptisys.exe
2248	ecdevopti.exe
2620	devoptisys.exe
2248	ecdevopti.exe
2620	devoptisys.exe
2248	ecdevopti.exe
2620	devoptisys.exe
2248	ecdevopti.exe
2620	devoptisys.exe
2248	ecdevopti.exe
2620	devoptisys.exe
2248	ecdevopti.exe
2620	devoptisys.exe
2248	ecdevopti.exe
2620	devoptisys.exe
2248	ecdevopti.exe
2620	devoptisys.exe
2248	ecdevopti.exe
2620	devoptisys.exe
2248	ecdevopti.exe
2620	devoptisys.exe
2248	ecdevopti.exe
2620	devoptisys.exe
2248	ecdevopti.exe
2620	devoptisys.exe
2248	ecdevopti.exe
2620	devoptisys.exe
2248	ecdevopti.exe
2620	devoptisys.exe
2248	ecdevopti.exe
2620	devoptisys.exe
2248	ecdevopti.exe
2620	devoptisys.exe
2248	ecdevopti.exe
2620	devoptisys.exe
2248	ecdevopti.exe
2620	devoptisys.exe
2248	ecdevopti.exe
2620	devoptisys.exe
2248	ecdevopti.exe
2620	devoptisys.exe
2248	ecdevopti.exe
2620	devoptisys.exe
2248	ecdevopti.exe
2620	devoptisys.exe
2248	ecdevopti.exe
2620	devoptisys.exe
2248	ecdevopti.exe
2620	devoptisys.exe
2248	ecdevopti.exe
2620	devoptisys.exe
2248	ecdevopti.exe
2620	devoptisys.exe
2248	ecdevopti.exe
2620	devoptisys.exe
2248	ecdevopti.exe
2620	devoptisys.exe
2248	ecdevopti.exe
2620	devoptisys.exe
2248	ecdevopti.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 2248	1500	2ee25b76e62fef2107e1a0731f2dcc00_NeikiAnalytics.exe	28
PID 1500 wrote to memory of 2248	1500	2ee25b76e62fef2107e1a0731f2dcc00_NeikiAnalytics.exe	28
PID 1500 wrote to memory of 2248	1500	2ee25b76e62fef2107e1a0731f2dcc00_NeikiAnalytics.exe	28
PID 1500 wrote to memory of 2248	1500	2ee25b76e62fef2107e1a0731f2dcc00_NeikiAnalytics.exe	28
PID 1500 wrote to memory of 2620	1500	2ee25b76e62fef2107e1a0731f2dcc00_NeikiAnalytics.exe	29
PID 1500 wrote to memory of 2620	1500	2ee25b76e62fef2107e1a0731f2dcc00_NeikiAnalytics.exe	29
PID 1500 wrote to memory of 2620	1500	2ee25b76e62fef2107e1a0731f2dcc00_NeikiAnalytics.exe	29
PID 1500 wrote to memory of 2620	1500	2ee25b76e62fef2107e1a0731f2dcc00_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\2ee25b76e62fef2107e1a0731f2dcc00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2ee25b76e62fef2107e1a0731f2dcc00_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2248
- C:\Files24\devoptisys.exe
  C:\Files24\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files24\devoptisys.exe

Filesize
3.6MB

MD5
db40f7a800174341bee8b68c9ce7d4d0

SHA1
56068eef015d6c24a28229c97b1e29cda72d7073

SHA256
f5f273050bb3972cb49256625718f5b1957275f4f2209c52c5f1b78cdfb73f62

SHA512
7d78f108810eede43316fe6a55eacef6f01a0c98e8331420fee650c93408217c686604ea846edb16dde43a3de1e4bd340e1c96718daeab5237722bdd1a527dae

Download Submit
C:\LabZ25\dobdevec.exe

Filesize
3.6MB

MD5
3cb677280fe5eec47341ef5dc5ad56a7

SHA1
5260097dda1df1cc11c446e96af008be2f636e66

SHA256
7cec937856345755e5592a1fac7b800ed701df3202387fef011af5f94ed72945

SHA512
dccbdac68760003504a41427adf2a8e30bcfe6923ba652ac434e7a44746684bf4028844eaa03a14a950084b0e91101ab82e7bd4555bd917d916b41a1c77c66ea

Download Submit
C:\LabZ25\dobdevec.exe

Filesize
3.6MB

MD5
45deca2b5e832a4e3159dc7f9b6d3b89

SHA1
c9d8b468df695a9c05655b943b68e3257064d6f9

SHA256
26002f711b3b982a764f3f1d57b6427962d73cc56d848bea006434418e68f0ee

SHA512
16e6bc358c9dbd5718fa8fb3896d6feb92ee7a92e4a736c9b061817ba94d054ee6bc650c59641139e34eec533d2fb96a3e7ee46cbc3a6dc70f5cad9caf2fdefb

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
9a7bee5e3b818959e7faac6ab6482eb8

SHA1
4442e9ddf97e826db45b668b021f2df0c3f7c924

SHA256
c4d840c4a182036cd7e0e90f59f48e65aad20f101e9e157b7042beaec71bee4f

SHA512
1732b86a109bb693fa36485f137693ff392eb31034418e565ed871aaa0dbf67549822eac9a59f920deafb5b50a0713951c5d997047cd201a150045259fe5caf2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
7e27b56bc68bdbb2c9086aeee18507ff

SHA1
73f48971bfb91f9bc71993307e8dc3e50b7232eb

SHA256
37daa1dd2a39adc3de68cf24f538ea2ec5f2c655eb7f1edb51936d2d25d284a0

SHA512
4ddd8afe62b60516069a35c95d1c530252948e233023ced59d163efef210ee4142f4dc364dedfe89c578b01fe6337754027c6c75cf78b5314a2596a8b10b54a2

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
3.6MB

MD5
19d1c3ec95dc2b42f79548c1d170a40a

SHA1
ad453ccc5892ed9e76c035c6c268fc478f8baa86

SHA256
dbb3497e2358ed28e0ad03e45559eb32c2eac167eeaf2023e4c4f08b6ab054e9

SHA512
95529b6820e6dee49677f97de9570115965d8d456792c57eb80c22cede5e21200d9518f7b7f8965838b0bebc361886e65cd3196c3e33494b168d8129756a6758

Download Submit