dd0f39a332478b617fd9924adc13df4d98af0d528d117fcb2276709ca08e1cd6

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

883ed958a279c30ebd0a9f4cd11509b0_NeikiAnalytics.exe
Size

3.6MB
MD5

883ed958a279c30ebd0a9f4cd11509b0
SHA1

e373aa2efabea67e1303531b6a63d00042e0e684
SHA256

dd0f39a332478b617fd9924adc13df4d98af0d528d117fcb2276709ca08e1cd6
SHA512

e675bbce8e085bd883fecd52339148ca89e0f4acf8d8892bd0d535fe1eec8f8bdd574aa1fe421365d01c2a4502b06940ae9f282e94004f0d9a33674163b71c8e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpUbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe	883ed958a279c30ebd0a9f4cd11509b0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4736	ecadob.exe
5008	devoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc2N\\devoptisys.exe"	883ed958a279c30ebd0a9f4cd11509b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax15\\boddevec.exe"	883ed958a279c30ebd0a9f4cd11509b0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1512	883ed958a279c30ebd0a9f4cd11509b0_NeikiAnalytics.exe
1512	883ed958a279c30ebd0a9f4cd11509b0_NeikiAnalytics.exe
1512	883ed958a279c30ebd0a9f4cd11509b0_NeikiAnalytics.exe
1512	883ed958a279c30ebd0a9f4cd11509b0_NeikiAnalytics.exe
4736	ecadob.exe
4736	ecadob.exe
5008	devoptisys.exe
5008	devoptisys.exe
4736	ecadob.exe
4736	ecadob.exe
5008	devoptisys.exe
5008	devoptisys.exe
4736	ecadob.exe
4736	ecadob.exe
5008	devoptisys.exe
5008	devoptisys.exe
4736	ecadob.exe
4736	ecadob.exe
5008	devoptisys.exe
5008	devoptisys.exe
4736	ecadob.exe
4736	ecadob.exe
5008	devoptisys.exe
5008	devoptisys.exe
4736	ecadob.exe
4736	ecadob.exe
5008	devoptisys.exe
5008	devoptisys.exe
4736	ecadob.exe
4736	ecadob.exe
5008	devoptisys.exe
5008	devoptisys.exe
4736	ecadob.exe
4736	ecadob.exe
5008	devoptisys.exe
5008	devoptisys.exe
4736	ecadob.exe
4736	ecadob.exe
5008	devoptisys.exe
5008	devoptisys.exe
4736	ecadob.exe
4736	ecadob.exe
5008	devoptisys.exe
5008	devoptisys.exe
4736	ecadob.exe
4736	ecadob.exe
5008	devoptisys.exe
5008	devoptisys.exe
4736	ecadob.exe
4736	ecadob.exe
5008	devoptisys.exe
5008	devoptisys.exe
4736	ecadob.exe
4736	ecadob.exe
5008	devoptisys.exe
5008	devoptisys.exe
4736	ecadob.exe
4736	ecadob.exe
5008	devoptisys.exe
5008	devoptisys.exe
4736	ecadob.exe
4736	ecadob.exe
5008	devoptisys.exe
5008	devoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 4736	1512	883ed958a279c30ebd0a9f4cd11509b0_NeikiAnalytics.exe	87
PID 1512 wrote to memory of 4736	1512	883ed958a279c30ebd0a9f4cd11509b0_NeikiAnalytics.exe	87
PID 1512 wrote to memory of 4736	1512	883ed958a279c30ebd0a9f4cd11509b0_NeikiAnalytics.exe	87
PID 1512 wrote to memory of 5008	1512	883ed958a279c30ebd0a9f4cd11509b0_NeikiAnalytics.exe	91
PID 1512 wrote to memory of 5008	1512	883ed958a279c30ebd0a9f4cd11509b0_NeikiAnalytics.exe	91
PID 1512 wrote to memory of 5008	1512	883ed958a279c30ebd0a9f4cd11509b0_NeikiAnalytics.exe	91

C:\Users\Admin\AppData\Local\Temp\883ed958a279c30ebd0a9f4cd11509b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\883ed958a279c30ebd0a9f4cd11509b0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4736
- C:\Intelproc2N\devoptisys.exe
  C:\Intelproc2N\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax15\boddevec.exe

Filesize
3.2MB

MD5
0ebcba64368f0b3a93ff6c06e2c3887e

SHA1
070accc1f633687b3b72279bdf261311c0ebe35c

SHA256
af9ad58a9a0c80a0ce8a165b7dfd97a2cba808ac174bcdddb9e153a63507621c

SHA512
dfd6b0c41d1bb5b4748b691d20b749fc9b1a20e88ed4cb07a57371b627efcf1b24ba12f28658c607a6dc0667ff3825012000fc4846a648d50c445ba35528ca5f

Download Submit
C:\Galax15\boddevec.exe

Filesize
3.6MB

MD5
55e4eb280f8125d3818f3210ea743f51

SHA1
c2fe94020c7368c39046a99c427383013cdbc69f

SHA256
944292623c87fb749db932e85c6b8e95b05276fc56c94ae4b0894264679f7f4d

SHA512
5b221a4324b6ac87cad00a44ba5957c097c80cc446729626c7ebc6fa3607ff9df3f4daaaa3e6d2cecc899b3bee72f45dc99e9ae1608df6416ad1327958217155

Download Submit
C:\Intelproc2N\devoptisys.exe

Filesize
3.6MB

MD5
1bf7787d081bc2b6d9685a7d2e15db5d

SHA1
43322634097149a23eb74e19c9511ba323d743e5

SHA256
cd6f4746befff8b0c08300a29b4868e627cae4aa0778d198668ec7f1061c5ca4

SHA512
401dff9f2483f280f1a724fe63c405685d6c3c8387ce9ddff3966226f0da5fb94f44682b3d7b4e4d73c39619cf732e6583c6c4ecafe54ed3d50e102600bf3743

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
208B

MD5
dad9d8944835aad210d3f78616322ccb

SHA1
41ef7ccc6413995d2b0f4c11915dbaf836c5fcd4

SHA256
33f192a3176c41ff8d2de6c4f121fd2ac4da8e38cc89caccb1ec4d3b2b66afbe

SHA512
97be59999ad9a00e3f0a3f66432b7232ba85d351576e2d7dbf78f499164f003fb2fbcde9994707e27248263a414c18f5c4098f40c9c85039b46ca287c4418b74

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
176B

MD5
528cf5756d873cf82b92f12ae0944fcb

SHA1
f33f792d7acd5f6dc275665505b91643b6bceb0f

SHA256
bc7ae57e6f48f3e2cea6a3c52b9a533c52aa1582df36c288f2866eedee819ea2

SHA512
29513640aa16c5f09f5990a75ba07ac6942c82c9344bd743d5dba5ad1f6f0a6fe0d2441826502ca30819650afd4031c3e1bd9147c38137a31e531b63ea2d6c2c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

Filesize
3.6MB

MD5
10dffbf3007d91a79ab28bb6e6215abc

SHA1
b51fd6d2d26a37257e0a546c15b3c1ccb8463c53

SHA256
372f120f5cd37122c6cd3b06c4e47d77dee00ef60ad0523fe2a5f9c3d1a19b6a

SHA512
da616c7ffc1695ed0bc1b648882833c2fe9833315146af5a03d7b9caf9aba51846e33a6c35bf24438fe392970b5e3301c15fc265948d1dcd840b47c7aee263c6

Download Submit