b5180c57843751389a6a6b34e663d1c667f2eaf9ea702dc40aa743c462349514

Analysis

max time kernel
149s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 12:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8d6e2f7148e38707cb98260b85ccdf80_NeikiAnalytics.exe
Size

3.6MB
MD5

8d6e2f7148e38707cb98260b85ccdf80
SHA1

e83882d006850f2e27123e75eabbc2d9c195bd5f
SHA256

b5180c57843751389a6a6b34e663d1c667f2eaf9ea702dc40aa743c462349514
SHA512

e4d896f4ff7cb2af62ce0d5558c95e3b383f5bf148798116528ecb47beca27cb1da7f772f8462f62c177fae6993d4fd2045c2fa4923223219877a5e1c8504226
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSqz8:sxX7QnxrloE5dpUpMbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe	8d6e2f7148e38707cb98260b85ccdf80_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4288	ecxbod.exe
1072	devoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvCC\\devoptiec.exe"	8d6e2f7148e38707cb98260b85ccdf80_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintZK\\dobasys.exe"	8d6e2f7148e38707cb98260b85ccdf80_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4352	8d6e2f7148e38707cb98260b85ccdf80_NeikiAnalytics.exe
4352	8d6e2f7148e38707cb98260b85ccdf80_NeikiAnalytics.exe
4352	8d6e2f7148e38707cb98260b85ccdf80_NeikiAnalytics.exe
4352	8d6e2f7148e38707cb98260b85ccdf80_NeikiAnalytics.exe
4288	ecxbod.exe
4288	ecxbod.exe
1072	devoptiec.exe
1072	devoptiec.exe
4288	ecxbod.exe
4288	ecxbod.exe
1072	devoptiec.exe
1072	devoptiec.exe
4288	ecxbod.exe
4288	ecxbod.exe
1072	devoptiec.exe
1072	devoptiec.exe
4288	ecxbod.exe
4288	ecxbod.exe
1072	devoptiec.exe
1072	devoptiec.exe
4288	ecxbod.exe
4288	ecxbod.exe
1072	devoptiec.exe
1072	devoptiec.exe
4288	ecxbod.exe
4288	ecxbod.exe
1072	devoptiec.exe
1072	devoptiec.exe
4288	ecxbod.exe
4288	ecxbod.exe
1072	devoptiec.exe
1072	devoptiec.exe
4288	ecxbod.exe
4288	ecxbod.exe
1072	devoptiec.exe
1072	devoptiec.exe
4288	ecxbod.exe
4288	ecxbod.exe
1072	devoptiec.exe
1072	devoptiec.exe
4288	ecxbod.exe
4288	ecxbod.exe
1072	devoptiec.exe
1072	devoptiec.exe
4288	ecxbod.exe
4288	ecxbod.exe
1072	devoptiec.exe
1072	devoptiec.exe
4288	ecxbod.exe
4288	ecxbod.exe
1072	devoptiec.exe
1072	devoptiec.exe
4288	ecxbod.exe
4288	ecxbod.exe
1072	devoptiec.exe
1072	devoptiec.exe
4288	ecxbod.exe
4288	ecxbod.exe
1072	devoptiec.exe
1072	devoptiec.exe
4288	ecxbod.exe
4288	ecxbod.exe
1072	devoptiec.exe
1072	devoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4352 wrote to memory of 4288	4352	8d6e2f7148e38707cb98260b85ccdf80_NeikiAnalytics.exe	85
PID 4352 wrote to memory of 4288	4352	8d6e2f7148e38707cb98260b85ccdf80_NeikiAnalytics.exe	85
PID 4352 wrote to memory of 4288	4352	8d6e2f7148e38707cb98260b85ccdf80_NeikiAnalytics.exe	85
PID 4352 wrote to memory of 1072	4352	8d6e2f7148e38707cb98260b85ccdf80_NeikiAnalytics.exe	87
PID 4352 wrote to memory of 1072	4352	8d6e2f7148e38707cb98260b85ccdf80_NeikiAnalytics.exe	87
PID 4352 wrote to memory of 1072	4352	8d6e2f7148e38707cb98260b85ccdf80_NeikiAnalytics.exe	87

C:\Users\Admin\AppData\Local\Temp\8d6e2f7148e38707cb98260b85ccdf80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8d6e2f7148e38707cb98260b85ccdf80_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4352
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4288
- C:\SysDrvCC\devoptiec.exe
  C:\SysDrvCC\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintZK\dobasys.exe

Filesize
3.6MB

MD5
0a5ffce2db731eee007a46dec1d1f444

SHA1
22b1c40620545481fdf45bf0a7584b199472e78e

SHA256
a5e442ef9a1a371d12179861ce5def42a93b57bbbb7b3cd777d50ff423a668a4

SHA512
66d89526755885e885a84806faf4c91047150727c003f26e5b788da81ab18ac310c1a73bcb738fef72c74de74b7177e823ac85f4a48802855504b8d0d605e027

Download Submit
C:\MintZK\dobasys.exe

Filesize
3.6MB

MD5
db676a6eac13e1cf669c40949462a1c4

SHA1
9f871d93ee7e2c6cd36f8a3680c9a52d26e7888a

SHA256
d619c4cb3fbfc9d16ecc0047ddd7b1f643bb97c4967409fcd359a5797eed4524

SHA512
38431040fe86cfb83f20b40c9721ccf73e89024cb06f3cb407c291ddfbe3d8c4d4f8e2a70dbb45aaab50a6168603ec712eebf46b5988c4897a6b766b8cae2f94

Download Submit
C:\SysDrvCC\devoptiec.exe

Filesize
3.6MB

MD5
e218b3a2babeb67d0716234bfd002aef

SHA1
a0f97f9a438f5b3061c0298b3588fa7fe46843b3

SHA256
79ebb87fc209c23fdea7da0139589956c44468d60d4937fab9c56f469a73fdf9

SHA512
11c7d01fa7d3f644867faade51f4b57804463e770030a9c0b511b07b806bc6be922abc49a496aa1729b70d5c2f92b74985cf4595a65e9c77b1c61d8c93c4c5c1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
d665c2942fb35a9e6a999c4319e333e4

SHA1
655be33107190c2e79221b8f617c168ede30069f

SHA256
6ccb4137f2a7b91f7ccc1e4a9c1a735f8c8f65bef23881b34b9c33bb1b6908ba

SHA512
13af50ba2e314e6ff9bca3516e33706e48b902edefb1534ba6db307e0d5e38becb034d46dd2b34554bf7673ba093cf75ed354431dd66811ac4eb71ee54cfddbe

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
3e8433128f4f120234f599290abea1bc

SHA1
ab9d1785e3ec508f87081c674530f46ebb7bdb1b

SHA256
145bd473507708a140e2e740dcd703a2f4dc4a83a95ad9527997653a82c68bc7

SHA512
c57e207f2756bd30654bbcef7df9e35ee125aed4ea5f56f8593ebff5dbcd5f28c31672fed335270ca5dee12e3130e73800daa99af40b527e5aa28cde89ad5e94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

Filesize
3.6MB

MD5
c525dbe0411d2349c57bddc86153f37f

SHA1
fc8645dededdc582667a6e00b42b5db78d5eae50

SHA256
b9aa98bfe3ade77e5b579d38015f0bb4a70cf43293192875607be5d72f3fbe25

SHA512
f3bf9b18897e86b3a18ea66d68d521c390619067e4a36e9ccd2fd159c371debec5df554625e9f932dea1083f31c736aef8f26361aa7769437dd777a40b4ec155

Download Submit