f2f12c7f3bbbce8581d5422469dfc48d9214e13dfdfaa26389cd9dd1b69bf6a5

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01/06/2024, 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01df69ca825a1bb1095592ef40bf2150_NeikiAnalytics.exe
Size

4.1MB
MD5

01df69ca825a1bb1095592ef40bf2150
SHA1

8516e1c2975e755cc0320dde9078ac83d314a3a2
SHA256

f2f12c7f3bbbce8581d5422469dfc48d9214e13dfdfaa26389cd9dd1b69bf6a5
SHA512

73a7671bc9a6b1fdc4435787b04d4637cd27198c13bcff780773282eceb7df7bddf1171ed5588ce1b810a776cf133da8b431ca265d1c1ee75fe88831db37353e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp2bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	01df69ca825a1bb1095592ef40bf2150_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2304	ecdevopti.exe
2256	devoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2932	01df69ca825a1bb1095592ef40bf2150_NeikiAnalytics.exe
2932	01df69ca825a1bb1095592ef40bf2150_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesTJ\\devoptiec.exe"	01df69ca825a1bb1095592ef40bf2150_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBS6\\dobaloc.exe"	01df69ca825a1bb1095592ef40bf2150_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2932	01df69ca825a1bb1095592ef40bf2150_NeikiAnalytics.exe
2932	01df69ca825a1bb1095592ef40bf2150_NeikiAnalytics.exe
2304	ecdevopti.exe
2256	devoptiec.exe
2304	ecdevopti.exe
2256	devoptiec.exe
2304	ecdevopti.exe
2256	devoptiec.exe
2304	ecdevopti.exe
2256	devoptiec.exe
2304	ecdevopti.exe
2256	devoptiec.exe
2304	ecdevopti.exe
2256	devoptiec.exe
2304	ecdevopti.exe
2256	devoptiec.exe
2304	ecdevopti.exe
2256	devoptiec.exe
2304	ecdevopti.exe
2256	devoptiec.exe
2304	ecdevopti.exe
2256	devoptiec.exe
2304	ecdevopti.exe
2256	devoptiec.exe
2304	ecdevopti.exe
2256	devoptiec.exe
2304	ecdevopti.exe
2256	devoptiec.exe
2304	ecdevopti.exe
2256	devoptiec.exe
2304	ecdevopti.exe
2256	devoptiec.exe
2304	ecdevopti.exe
2256	devoptiec.exe
2304	ecdevopti.exe
2256	devoptiec.exe
2304	ecdevopti.exe
2256	devoptiec.exe
2304	ecdevopti.exe
2256	devoptiec.exe
2304	ecdevopti.exe
2256	devoptiec.exe
2304	ecdevopti.exe
2256	devoptiec.exe
2304	ecdevopti.exe
2256	devoptiec.exe
2304	ecdevopti.exe
2256	devoptiec.exe
2304	ecdevopti.exe
2256	devoptiec.exe
2304	ecdevopti.exe
2256	devoptiec.exe
2304	ecdevopti.exe
2256	devoptiec.exe
2304	ecdevopti.exe
2256	devoptiec.exe
2304	ecdevopti.exe
2256	devoptiec.exe
2304	ecdevopti.exe
2256	devoptiec.exe
2304	ecdevopti.exe
2256	devoptiec.exe
2304	ecdevopti.exe
2256	devoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2304	2932	01df69ca825a1bb1095592ef40bf2150_NeikiAnalytics.exe	28
PID 2932 wrote to memory of 2304	2932	01df69ca825a1bb1095592ef40bf2150_NeikiAnalytics.exe	28
PID 2932 wrote to memory of 2304	2932	01df69ca825a1bb1095592ef40bf2150_NeikiAnalytics.exe	28
PID 2932 wrote to memory of 2304	2932	01df69ca825a1bb1095592ef40bf2150_NeikiAnalytics.exe	28
PID 2932 wrote to memory of 2256	2932	01df69ca825a1bb1095592ef40bf2150_NeikiAnalytics.exe	29
PID 2932 wrote to memory of 2256	2932	01df69ca825a1bb1095592ef40bf2150_NeikiAnalytics.exe	29
PID 2932 wrote to memory of 2256	2932	01df69ca825a1bb1095592ef40bf2150_NeikiAnalytics.exe	29
PID 2932 wrote to memory of 2256	2932	01df69ca825a1bb1095592ef40bf2150_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\01df69ca825a1bb1095592ef40bf2150_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\01df69ca825a1bb1095592ef40bf2150_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2304
- C:\FilesTJ\devoptiec.exe
  C:\FilesTJ\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesTJ\devoptiec.exe

Filesize
4.1MB

MD5
bcb7d68dd8053f99c6b9c822fcfbb056

SHA1
54d5c940d89b5bf199871ef91fd422c4372f4d86

SHA256
b41f31fb9bb31627aa6389ec6c82360d5a775f4f08c9b509622e22380792dd56

SHA512
0713ae7c0c477c930e32e39fe08f5ef387a7dfb331a9698fd40c1a609502255b593f64d06780946224c86a9851e3e9f7fda8454a5b8895a892baac242b6eb311

Download Submit
C:\KaVBS6\dobaloc.exe

Filesize
4.1MB

MD5
7ca159c19bc800a36de44c7db4a40e75

SHA1
0c4c7b28ecf2eb21298cb134ee496227042f5b97

SHA256
f854a42dead43796094362b39ae6d18338ac0f174cf9dcef09b454c1cf3a7b8c

SHA512
7b22b02b00c4e4a379f1fbd2a48b70a27bee66c7ed043e3700d0c04085ce39f6c4b4b3d023849c7204304e1ef5fe109c69154aa2f6b92f445c54471783afdadc

Download Submit
C:\KaVBS6\dobaloc.exe

Filesize
4.1MB

MD5
9ec0c2f6e8edbfead82ddabda4427480

SHA1
06703a310aa8e306aac41a6a82dfa5610c307301

SHA256
3d3b5bd9ebfffc0ba8da9550c16866f81d0a530a6e53e5e70bdd1e625ec69531

SHA512
e10fa5c5f3c6a2f599af3deaa13ff0644955a299b83c8d442f10bea704f34a73b43ce5b1c223eff8475f1aa531962ac248ca57fbddf46d47e70c32d07a316547

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
a268ded041bd29bc419d1f158ae44092

SHA1
56faa46a8738f14b100ed5279eeee0be5b093542

SHA256
ce7a8a30f7eda5bf6364c7339c10695a31023be22569f2c4f00f44a75743178e

SHA512
a4115bce5432c4daecd8e3fc943b211a9d87c442b21306f9f2d442c7d21f04123a9b0e7e755831953ae315c0e5d976be97426182eac286b04fd610993de4a30c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
539c8c652ea4ebcf1dc1e58000557b59

SHA1
0a4de3cdf96cab82688a32e65811113f06f3de17

SHA256
cf82dbb65ab3f9226d95ffde1af0b6077bbc630ef1e41fc8b6bf3955e0b76302

SHA512
728d4b68b9e83072195d18216b9078b0a9ebedf23a65c7b4794f63ef7edce007f28a3c7d2fa2fc18053eb26dccbb05641a95e2e346bcef33aaa5fd59654c61bc

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
4.1MB

MD5
b8a42381d475c3aa026357cd4e493f22

SHA1
87a63f45dc2f9b6c321b260a2aeec74a09ddfd37

SHA256
38b7dddbec9b39012777a2ae1c319fbdf217cb7622444507d94a6dcbb7918ca5

SHA512
a8e2e3d4628654d90ecb47debe9af2739133a3fe14b81e0988e9e954d14b87d2459b8737a020c4333c87ef402b3b33d362880584f8c2a52b53a99b9fc529c243

Download Submit