7b65a627b912ab097de6aeda9bbbdde8573b6a02e4c55aaa51257d50eac1b6a9

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
31-05-2024 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5893b70fbe1d007f27b0090354027ee0_NeikiAnalytics.exe
Size

4.0MB
MD5

5893b70fbe1d007f27b0090354027ee0
SHA1

9bc4a807439cb962cabb2736eff83e2276903edb
SHA256

7b65a627b912ab097de6aeda9bbbdde8573b6a02e4c55aaa51257d50eac1b6a9
SHA512

5f3a017b56fb925479bd75fd8ad7f7be652ab876d55ed8ca8b57cfcca30cd9c66e72920c99190683a3acbb44b08a486d536894105d125e0440daa9ca492494a5
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBXB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpwbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	5893b70fbe1d007f27b0090354027ee0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1248	ecdevopti.exe
3048	abodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
1688	5893b70fbe1d007f27b0090354027ee0_NeikiAnalytics.exe
1688	5893b70fbe1d007f27b0090354027ee0_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeNR\\abodsys.exe"	5893b70fbe1d007f27b0090354027ee0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintHB\\optialoc.exe"	5893b70fbe1d007f27b0090354027ee0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1688	5893b70fbe1d007f27b0090354027ee0_NeikiAnalytics.exe
1688	5893b70fbe1d007f27b0090354027ee0_NeikiAnalytics.exe
1248	ecdevopti.exe
3048	abodsys.exe
1248	ecdevopti.exe
3048	abodsys.exe
1248	ecdevopti.exe
3048	abodsys.exe
1248	ecdevopti.exe
3048	abodsys.exe
1248	ecdevopti.exe
3048	abodsys.exe
1248	ecdevopti.exe
3048	abodsys.exe
1248	ecdevopti.exe
3048	abodsys.exe
1248	ecdevopti.exe
3048	abodsys.exe
1248	ecdevopti.exe
3048	abodsys.exe
1248	ecdevopti.exe
3048	abodsys.exe
1248	ecdevopti.exe
3048	abodsys.exe
1248	ecdevopti.exe
3048	abodsys.exe
1248	ecdevopti.exe
3048	abodsys.exe
1248	ecdevopti.exe
3048	abodsys.exe
1248	ecdevopti.exe
3048	abodsys.exe
1248	ecdevopti.exe
3048	abodsys.exe
1248	ecdevopti.exe
3048	abodsys.exe
1248	ecdevopti.exe
3048	abodsys.exe
1248	ecdevopti.exe
3048	abodsys.exe
1248	ecdevopti.exe
3048	abodsys.exe
1248	ecdevopti.exe
3048	abodsys.exe
1248	ecdevopti.exe
3048	abodsys.exe
1248	ecdevopti.exe
3048	abodsys.exe
1248	ecdevopti.exe
3048	abodsys.exe
1248	ecdevopti.exe
3048	abodsys.exe
1248	ecdevopti.exe
3048	abodsys.exe
1248	ecdevopti.exe
3048	abodsys.exe
1248	ecdevopti.exe
3048	abodsys.exe
1248	ecdevopti.exe
3048	abodsys.exe
1248	ecdevopti.exe
3048	abodsys.exe
1248	ecdevopti.exe
3048	abodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1248	1688	5893b70fbe1d007f27b0090354027ee0_NeikiAnalytics.exe	28
PID 1688 wrote to memory of 1248	1688	5893b70fbe1d007f27b0090354027ee0_NeikiAnalytics.exe	28
PID 1688 wrote to memory of 1248	1688	5893b70fbe1d007f27b0090354027ee0_NeikiAnalytics.exe	28
PID 1688 wrote to memory of 1248	1688	5893b70fbe1d007f27b0090354027ee0_NeikiAnalytics.exe	28
PID 1688 wrote to memory of 3048	1688	5893b70fbe1d007f27b0090354027ee0_NeikiAnalytics.exe	29
PID 1688 wrote to memory of 3048	1688	5893b70fbe1d007f27b0090354027ee0_NeikiAnalytics.exe	29
PID 1688 wrote to memory of 3048	1688	5893b70fbe1d007f27b0090354027ee0_NeikiAnalytics.exe	29
PID 1688 wrote to memory of 3048	1688	5893b70fbe1d007f27b0090354027ee0_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\5893b70fbe1d007f27b0090354027ee0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5893b70fbe1d007f27b0090354027ee0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1248
- C:\AdobeNR\abodsys.exe
  C:\AdobeNR\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeNR\abodsys.exe

Filesize
14KB

MD5
eea4aa3d13cff294fb9de101050d3b95

SHA1
8be9253d0215e54c585f56eadb2280278a3ef3fa

SHA256
4bfbd1374923be20f98b58ddc780be3cd5a3714124580ccf4631700f056077a5

SHA512
8793ab23bc508ea67a7d382f851f692b10c6141d6a08aea34676af615c93c597ab6a7bab354d52cfa7c84c568a31eee4521a37ed280aa9a5c1a200be1d176b44

Download Submit
C:\AdobeNR\abodsys.exe

Filesize
4.0MB

MD5
6e1ed08307a04cc7b9354d34f2d0c829

SHA1
4b3b70a8636f6f61313fbc221a97cb5a85de5ea6

SHA256
3a9c93e9251342540e27dac57098d05b4f1490f48c32d784829bee6ab7e7f81e

SHA512
ec4ef84b5b0cf1c1680a197b72706b5b2604ba24de2946a253f891e6b1caabbd10e058204b6acb8ecbbdc4a0270c0e2df815381c5adb13152f9439bbbb1e5a87

Download Submit
C:\MintHB\optialoc.exe

Filesize
4.0MB

MD5
1d1ed4579890aa36303628a9e820f035

SHA1
1093c4b7f010cd1c894ff3183b00734f6c814bef

SHA256
deb8fdae511380f80cc1f347acea1b073f3dc36b14bb9baa4c5a9981f75f3fcc

SHA512
b5f1f9969f77030d5272f087b7a40c67d1e9530bc6c0fe9ee9f5a4b4ec2a1d887ed076b0340f91b351d9d5b5d2f3644b3aac6a944df509ded89732e7f64cf8a5

Download Submit
C:\MintHB\optialoc.exe

Filesize
4.0MB

MD5
a65edce272b99401a1ed8a4a549ff4d4

SHA1
15cc73f13c58fecc6c1d26ec7d688de086309404

SHA256
7c3d7d4fa7d85d19edf61e41499ff1e405aa9815c487b8bbbbd9d797ef531ab7

SHA512
76a1bf09b175f9111bb3b65708026d9097fb55c48e0e7dcaba7b4fff8808f0858b51826a4c56a197650d87f89f7f6203c49c37ee4c426b49fd2a5e5e706afed2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
c4674e8ad235c45879ca974f12f820bd

SHA1
41500eaeb6ce9cfa383770421a493da78615fa03

SHA256
0813e9bbdbb0a15ae7ec633fec05c83fe9770e913612dcc89107340781517379

SHA512
9f06488a28432da6fe3210c35825c0d28b2b311e0a653f52b5be8d42e5d22a90ded05bdcb572bb0b950d5fa2ca6be32ef6fbf066e3bb720113a337bff1ea0ed6

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
46dc27913d22003257debd2dd0f15a92

SHA1
84802d1e29592fbe14ab97d23c19a32a2ca7fdc7

SHA256
6d3cb4e2164743533b3dc5ab0a51be07cb45437a8d7cf9a4f1d2e0c69f392d4e

SHA512
9b2db3765640ca4864ff2c7ab6052b4c5b0193e042850710ba0e82020f22b2a098aeccf763a27ca77d19300800b20a44d1783223c7a111355760a842e5dbf865

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
4.0MB

MD5
fddef84b6101d0b278792c73fa9f442b

SHA1
8c7724e2b2ed16765da2fd873173852dbf8a4d7b

SHA256
6c33fba236e36534744c500a1f29d5c5ff42e8fb701deb4ec3c207bc6e5ae7f1

SHA512
bf4f210a4d60d390aab378706aa7a9b9ae847412779f6afe9405019b061b896499ccc2b8b6be7901b0b35ad4a3d5566de9dd9898a82de0d6cac9cd1e60b3dd65

Download Submit