558ad82a6d72ef881da4c00b596fbea5c4ed8906ee479aff259c2239d6afb90e

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 17:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

275c0950e1acc56b9fb83ab95c33f9f0_NeikiAnalytics.exe
Size

4.1MB
MD5

275c0950e1acc56b9fb83ab95c33f9f0
SHA1

f6e8b07e0c57d1805e4c6fc6c3874b837c81099e
SHA256

558ad82a6d72ef881da4c00b596fbea5c4ed8906ee479aff259c2239d6afb90e
SHA512

c7e2769fc9d27a9482b92e1031281b3a5962cbbbac76d0997cc0772970fd3052b3186775697be5de337137bbf8f659579d05ffa1741f2ccc763dac55ab6a1699
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBhB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpWbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	275c0950e1acc56b9fb83ab95c33f9f0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
732	ecdevopti.exe
3700	xoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvG0\\xoptiec.exe"	275c0950e1acc56b9fb83ab95c33f9f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidYG\\boddevec.exe"	275c0950e1acc56b9fb83ab95c33f9f0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4468	275c0950e1acc56b9fb83ab95c33f9f0_NeikiAnalytics.exe
4468	275c0950e1acc56b9fb83ab95c33f9f0_NeikiAnalytics.exe
4468	275c0950e1acc56b9fb83ab95c33f9f0_NeikiAnalytics.exe
4468	275c0950e1acc56b9fb83ab95c33f9f0_NeikiAnalytics.exe
732	ecdevopti.exe
732	ecdevopti.exe
3700	xoptiec.exe
3700	xoptiec.exe
732	ecdevopti.exe
732	ecdevopti.exe
3700	xoptiec.exe
3700	xoptiec.exe
732	ecdevopti.exe
732	ecdevopti.exe
3700	xoptiec.exe
3700	xoptiec.exe
732	ecdevopti.exe
732	ecdevopti.exe
3700	xoptiec.exe
3700	xoptiec.exe
732	ecdevopti.exe
732	ecdevopti.exe
3700	xoptiec.exe
3700	xoptiec.exe
732	ecdevopti.exe
732	ecdevopti.exe
3700	xoptiec.exe
3700	xoptiec.exe
732	ecdevopti.exe
732	ecdevopti.exe
3700	xoptiec.exe
3700	xoptiec.exe
732	ecdevopti.exe
732	ecdevopti.exe
3700	xoptiec.exe
3700	xoptiec.exe
732	ecdevopti.exe
732	ecdevopti.exe
3700	xoptiec.exe
3700	xoptiec.exe
732	ecdevopti.exe
732	ecdevopti.exe
3700	xoptiec.exe
3700	xoptiec.exe
732	ecdevopti.exe
732	ecdevopti.exe
3700	xoptiec.exe
3700	xoptiec.exe
732	ecdevopti.exe
732	ecdevopti.exe
3700	xoptiec.exe
3700	xoptiec.exe
732	ecdevopti.exe
732	ecdevopti.exe
3700	xoptiec.exe
3700	xoptiec.exe
732	ecdevopti.exe
732	ecdevopti.exe
3700	xoptiec.exe
3700	xoptiec.exe
732	ecdevopti.exe
732	ecdevopti.exe
3700	xoptiec.exe
3700	xoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 732	4468	275c0950e1acc56b9fb83ab95c33f9f0_NeikiAnalytics.exe	85
PID 4468 wrote to memory of 732	4468	275c0950e1acc56b9fb83ab95c33f9f0_NeikiAnalytics.exe	85
PID 4468 wrote to memory of 732	4468	275c0950e1acc56b9fb83ab95c33f9f0_NeikiAnalytics.exe	85
PID 4468 wrote to memory of 3700	4468	275c0950e1acc56b9fb83ab95c33f9f0_NeikiAnalytics.exe	86
PID 4468 wrote to memory of 3700	4468	275c0950e1acc56b9fb83ab95c33f9f0_NeikiAnalytics.exe	86
PID 4468 wrote to memory of 3700	4468	275c0950e1acc56b9fb83ab95c33f9f0_NeikiAnalytics.exe	86

C:\Users\Admin\AppData\Local\Temp\275c0950e1acc56b9fb83ab95c33f9f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\275c0950e1acc56b9fb83ab95c33f9f0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:732
- C:\SysDrvG0\xoptiec.exe
  C:\SysDrvG0\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrvG0\xoptiec.exe

Filesize
4.1MB

MD5
9b3e6417fcadc3dc11fb72a6fbe906bd

SHA1
9e6316fdaf9e9d012e04cc76b1821338243f798a

SHA256
bde5427617c7d31faf600f6f342b2e0d5eaab6f9bf55a590fa280d0938889aa5

SHA512
353238b7abfb50739fa081660b8188a079ca5d146bedd369b037c353e068028291a4c35935301a878dac9fbb0cbb758a11700e3ac608f0da759868a04acb977c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
fce2d71cb7d5a03907c6e5874158fdb9

SHA1
0add19984de3344d1807471a8767845f5cf1848a

SHA256
fa14252b6a42f91ce149daaeec67305bb8e1186f5b07d9a85b3047f07e58b70e

SHA512
152b5ec72c2a3b122492ec0ba21f5019f553c6dde9da5246fe50ea1461bd639c5719cd8f18b2a55e7d85d6083124eb7a1a3549124d14f230290df3111be3457f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
d0a8d014ad99edf322532c18f0bd0b19

SHA1
e110c143f7104a0345205951ecb03fb55222c153

SHA256
593d551c94b183263c2beb1918a64def2510a06fa3c8b571f0be49e5dd26971f

SHA512
cd5e6c5ee5d7c72a70a40f3e9f5bbc3c5ffb54cd69f4c81edbc74acacde22767b9de34b8730eca2662aebb93ceed3595711b0f280a7b6b9d304198befbef6081

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
4.1MB

MD5
1620f0dd16079b578f75285991e8e4e0

SHA1
47e454b6a4008b1236cb8e49291c8cb52effd448

SHA256
10b05fa0d763f1b0acbd39693c540cc7e6ed07fdc5c3666c70b8f3f14db74d45

SHA512
d7b8637726753e13c86bb5ef8898a5b63692f8783c7ec323ebdb1428d79d22d4657e48219af4cdb4495b23f04a5ca5c496331d3e6c21216baf6f2b168858b775

Download Submit
C:\VidYG\boddevec.exe

Filesize
4.1MB

MD5
a76ed5864cec8fa46e1add1b04132910

SHA1
a9daf43cd1a18e39f2ed892abc623d6f6f6c8a2a

SHA256
d8b9f9f8544c1c4d1aa82b02c27de30694a05bc000435c38a2c17cf18dcafc10

SHA512
86550ce1b835aaaf2a855101fab8e0c3dd368353c1ff37fc08180d612ede776d551368f0e7bbb3c69b06851aff35549748b0544a0b18ff4a57e8ac70c79b793c

Download Submit
C:\VidYG\boddevec.exe

Filesize
4.1MB

MD5
4683b598fcd0ac8e1a0c48bf50706408

SHA1
d185be42c671f4f819b0f021bc7643c9d4e89f3a

SHA256
0f884628c6414c38cfd9b7de8ec5268b9c06803eea5e485d4ada5a01ba71ca92

SHA512
8a66bd46a7d12869800460f120b4910e0ea81031d66a19fd4d36eeea9c964582ab3ac5a2f541092d43082afe0ab25e812e8bdf7b4caa58998e18764322e5ae50

Download Submit