52c236c9f69a542a08cef69cd4beef9582a41285b82972f559c2e5e79465e87b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 05:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66d1ccb23e0c6dea0026f8703dc0ab00_NeikiAnalytics.exe
Size

3.2MB
MD5

66d1ccb23e0c6dea0026f8703dc0ab00
SHA1

53aa5303f537d3ab2208256995d0874e7a0235f9
SHA256

52c236c9f69a542a08cef69cd4beef9582a41285b82972f559c2e5e79465e87b
SHA512

e3bf54261375fa13b7e3b598ce9dbefcf4b8b612e3abf8cb541fd01310e80aa318e1453473128b0a97631422d0342211c3a843aa56fb03b6314fc10a203fe78a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUprbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	66d1ccb23e0c6dea0026f8703dc0ab00_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
604	ecdevdob.exe
4416	devoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocHW\\devoptiec.exe"	66d1ccb23e0c6dea0026f8703dc0ab00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidOM\\optiaec.exe"	66d1ccb23e0c6dea0026f8703dc0ab00_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3740	66d1ccb23e0c6dea0026f8703dc0ab00_NeikiAnalytics.exe
3740	66d1ccb23e0c6dea0026f8703dc0ab00_NeikiAnalytics.exe
3740	66d1ccb23e0c6dea0026f8703dc0ab00_NeikiAnalytics.exe
3740	66d1ccb23e0c6dea0026f8703dc0ab00_NeikiAnalytics.exe
604	ecdevdob.exe
604	ecdevdob.exe
4416	devoptiec.exe
4416	devoptiec.exe
604	ecdevdob.exe
604	ecdevdob.exe
4416	devoptiec.exe
4416	devoptiec.exe
604	ecdevdob.exe
604	ecdevdob.exe
4416	devoptiec.exe
4416	devoptiec.exe
604	ecdevdob.exe
604	ecdevdob.exe
4416	devoptiec.exe
4416	devoptiec.exe
604	ecdevdob.exe
604	ecdevdob.exe
4416	devoptiec.exe
4416	devoptiec.exe
604	ecdevdob.exe
604	ecdevdob.exe
4416	devoptiec.exe
4416	devoptiec.exe
604	ecdevdob.exe
604	ecdevdob.exe
4416	devoptiec.exe
4416	devoptiec.exe
604	ecdevdob.exe
604	ecdevdob.exe
4416	devoptiec.exe
4416	devoptiec.exe
604	ecdevdob.exe
604	ecdevdob.exe
4416	devoptiec.exe
4416	devoptiec.exe
604	ecdevdob.exe
604	ecdevdob.exe
4416	devoptiec.exe
4416	devoptiec.exe
604	ecdevdob.exe
604	ecdevdob.exe
4416	devoptiec.exe
4416	devoptiec.exe
604	ecdevdob.exe
604	ecdevdob.exe
4416	devoptiec.exe
4416	devoptiec.exe
604	ecdevdob.exe
604	ecdevdob.exe
4416	devoptiec.exe
4416	devoptiec.exe
604	ecdevdob.exe
604	ecdevdob.exe
4416	devoptiec.exe
4416	devoptiec.exe
604	ecdevdob.exe
604	ecdevdob.exe
4416	devoptiec.exe
4416	devoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3740 wrote to memory of 604	3740	66d1ccb23e0c6dea0026f8703dc0ab00_NeikiAnalytics.exe	82
PID 3740 wrote to memory of 604	3740	66d1ccb23e0c6dea0026f8703dc0ab00_NeikiAnalytics.exe	82
PID 3740 wrote to memory of 604	3740	66d1ccb23e0c6dea0026f8703dc0ab00_NeikiAnalytics.exe	82
PID 3740 wrote to memory of 4416	3740	66d1ccb23e0c6dea0026f8703dc0ab00_NeikiAnalytics.exe	83
PID 3740 wrote to memory of 4416	3740	66d1ccb23e0c6dea0026f8703dc0ab00_NeikiAnalytics.exe	83
PID 3740 wrote to memory of 4416	3740	66d1ccb23e0c6dea0026f8703dc0ab00_NeikiAnalytics.exe	83

C:\Users\Admin\AppData\Local\Temp\66d1ccb23e0c6dea0026f8703dc0ab00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\66d1ccb23e0c6dea0026f8703dc0ab00_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3740
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:604
- C:\IntelprocHW\devoptiec.exe
  C:\IntelprocHW\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocHW\devoptiec.exe

Filesize
1.7MB

MD5
5e1b8c595d2d3bf34d26edc86601c8e9

SHA1
a054e54a5ea174e52a9c8b6c11f8e61dd0537528

SHA256
d10033b10a282acb31b404aab146fdda97540cc683cbea938dca4fc04adf8cd6

SHA512
0d29200294291ceab80a45df652b8e343c6379d86b11293e3e9b2f245bd3737e378700c786526a986a74395241d5d530d63c2d59afff6ece40ab45c4414d9fb4

Download Submit
C:\IntelprocHW\devoptiec.exe

Filesize
3.2MB

MD5
95616198a5f159ebc02c37f0cd0d665b

SHA1
78cd00a0a8eaf3fd6da2c5855c525deb12ee5ca8

SHA256
33fbe69dc2c9ce624ff26dbff937d97b2d99c3205e7893b6dd947143b8db66ef

SHA512
8cda705288c804518ba2452583b48e862e7008581eb6d107e3027956ff8d48e1eaf7680765de1108dbf41ef1b3610e56c5987bba5a7f9122bbb1e95c064b6d4a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
a2413596912ab486232b178af6a371e5

SHA1
e2c227128e82efc7c720564ede4a6f1bf9dc978a

SHA256
05c2a84ff91271483653af46261b6d78bcb61177efec6ccbbd8ae2b67df2250f

SHA512
dc89452ec3015c659da181f5444085037ae2a5ea2c33bbee9c61d1e2dcf50b07b7ddf2e937974d209679fbf4f8a07e5f9a88ba8b1b6580122f63ed0e4fca3bb2

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
174B

MD5
675b2b460c519cbf904507a2f935084e

SHA1
87b6c6822f43551b9e38b729f952c8352e9c4e93

SHA256
db6b5c4989d5c8e31a6ddb65ab94cc2452278e3432a0006ce3dec985e4954848

SHA512
45722125b36ee6f1eeb19c4a444e7ff1143138bebf02948a19c17397e9fc8338ae907b759ac0e01a7fca7eb3c35422ec56c8e5b9a8d9a52f1b1c9041b33ad038

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
3.2MB

MD5
0a5ab89339cec70b3847b01f814eddba

SHA1
05e6c9a110e4c23ca6370fc2e527edf6fad856fa

SHA256
75b55471cc710a6072605f2660e36014fc14ceb8b02a3a0cae23e2891d662625

SHA512
6000ce29efacb7dfcf9eeb5529445b54383d07c8f55f6ef4c7f58e8b20d8510f9d25aabd1f73caee15b6a02566e3ee2451dd2c8af26a41219f793987945cedb4

Download Submit
C:\VidOM\optiaec.exe

Filesize
3.2MB

MD5
ac19646246752bdd6defe15c1a733130

SHA1
176ac5d4873cc5a8194553cb51de7772e52f327c

SHA256
ebbba02800bbfef384a70777dc0a36b577705e245173fddc7ed883219fec62d9

SHA512
2ed86f7800632438142b13c26ba0e08dd28839dd4308f3dd89895bcb35dfe445cf9238e52fd97ff207f122c04a8d93354db2ba6a44eed224654d69e3f0d9ed70

Download Submit
C:\VidOM\optiaec.exe

Filesize
1.1MB

MD5
440103f6ba82a3521d4e43c5c2914270

SHA1
3644a5d75cb45f1c21b131b6cea06ae7c9fd6d43

SHA256
b5e320d3390d188bf57e20618cf5faf44da5a2539229bbb30b069df1f4c9efe0

SHA512
7dac71bc6da94dc8c1ece2b2d1886c576482b5c0e634b73f08d90346d5e3c6e955ec62ea10a48fa07a3c86132cbadab416aaa0a3f3b4ef05a25182f57303bb40

Download Submit