0be71902d15a12bb0f21ab325ab5f50c4b7935a6320a9c810064ab712142a872

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
01-06-2024 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5aaaffdc4bc4802ab0bcec9a62d63930_NeikiAnalytics.exe
Size

4.1MB
MD5

5aaaffdc4bc4802ab0bcec9a62d63930
SHA1

2176930b0802f756ab7193e3c509f9e302f026ca
SHA256

0be71902d15a12bb0f21ab325ab5f50c4b7935a6320a9c810064ab712142a872
SHA512

5e684a05e5bdd754254af407b54e2a7a14ab769fdb9bd526c8ead612e0a59830eb3bb411ad7f93a543e796ca0443e48242954e25917c0fc0abcbeaaec6b094bc
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp/bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	5aaaffdc4bc4802ab0bcec9a62d63930_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2240	ecabod.exe
2608	xoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
2728	5aaaffdc4bc4802ab0bcec9a62d63930_NeikiAnalytics.exe
2728	5aaaffdc4bc4802ab0bcec9a62d63930_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotDT\\xoptisys.exe"	5aaaffdc4bc4802ab0bcec9a62d63930_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBQQ\\dobaloc.exe"	5aaaffdc4bc4802ab0bcec9a62d63930_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2728	5aaaffdc4bc4802ab0bcec9a62d63930_NeikiAnalytics.exe
2728	5aaaffdc4bc4802ab0bcec9a62d63930_NeikiAnalytics.exe
2240	ecabod.exe
2608	xoptisys.exe
2240	ecabod.exe
2608	xoptisys.exe
2240	ecabod.exe
2608	xoptisys.exe
2240	ecabod.exe
2608	xoptisys.exe
2240	ecabod.exe
2608	xoptisys.exe
2240	ecabod.exe
2608	xoptisys.exe
2240	ecabod.exe
2608	xoptisys.exe
2240	ecabod.exe
2608	xoptisys.exe
2240	ecabod.exe
2608	xoptisys.exe
2240	ecabod.exe
2608	xoptisys.exe
2240	ecabod.exe
2608	xoptisys.exe
2240	ecabod.exe
2608	xoptisys.exe
2240	ecabod.exe
2608	xoptisys.exe
2240	ecabod.exe
2608	xoptisys.exe
2240	ecabod.exe
2608	xoptisys.exe
2240	ecabod.exe
2608	xoptisys.exe
2240	ecabod.exe
2608	xoptisys.exe
2240	ecabod.exe
2608	xoptisys.exe
2240	ecabod.exe
2608	xoptisys.exe
2240	ecabod.exe
2608	xoptisys.exe
2240	ecabod.exe
2608	xoptisys.exe
2240	ecabod.exe
2608	xoptisys.exe
2240	ecabod.exe
2608	xoptisys.exe
2240	ecabod.exe
2608	xoptisys.exe
2240	ecabod.exe
2608	xoptisys.exe
2240	ecabod.exe
2608	xoptisys.exe
2240	ecabod.exe
2608	xoptisys.exe
2240	ecabod.exe
2608	xoptisys.exe
2240	ecabod.exe
2608	xoptisys.exe
2240	ecabod.exe
2608	xoptisys.exe
2240	ecabod.exe
2608	xoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2240	2728	5aaaffdc4bc4802ab0bcec9a62d63930_NeikiAnalytics.exe	28
PID 2728 wrote to memory of 2240	2728	5aaaffdc4bc4802ab0bcec9a62d63930_NeikiAnalytics.exe	28
PID 2728 wrote to memory of 2240	2728	5aaaffdc4bc4802ab0bcec9a62d63930_NeikiAnalytics.exe	28
PID 2728 wrote to memory of 2240	2728	5aaaffdc4bc4802ab0bcec9a62d63930_NeikiAnalytics.exe	28
PID 2728 wrote to memory of 2608	2728	5aaaffdc4bc4802ab0bcec9a62d63930_NeikiAnalytics.exe	29
PID 2728 wrote to memory of 2608	2728	5aaaffdc4bc4802ab0bcec9a62d63930_NeikiAnalytics.exe	29
PID 2728 wrote to memory of 2608	2728	5aaaffdc4bc4802ab0bcec9a62d63930_NeikiAnalytics.exe	29
PID 2728 wrote to memory of 2608	2728	5aaaffdc4bc4802ab0bcec9a62d63930_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\5aaaffdc4bc4802ab0bcec9a62d63930_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5aaaffdc4bc4802ab0bcec9a62d63930_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2240
- C:\UserDotDT\xoptisys.exe
  C:\UserDotDT\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBQQ\dobaloc.exe

Filesize
4.1MB

MD5
94dfa680d1110c1878b44300c924a6d8

SHA1
ff879088a17f609d9d880cfa3ff1aef790cdc394

SHA256
b51e6fa4646cfbd75fb398821642b6dc3fd678bc9f2a11f27cbfc65316d5103e

SHA512
9678afeb1a9bccd67ee373260f80d84fa459d8e29394d40cc52dadec2375c46459e6bf52fdbf1c33e497d5c575cb08718918a5ee1f9dd6e294119c61295958b5

Download Submit
C:\UserDotDT\xoptisys.exe

Filesize
4.1MB

MD5
3c4fe9bc9e100f62f6fa4ace6b7df7de

SHA1
17199ebf4161ca524747cb51bf455b8bd0182dda

SHA256
dd5c7b68f244bc81391da14664860e39edd06eca0beb7ef7f093d2b83744f148

SHA512
7f8fb6629fa844b8a425e069572591e08d3fbf39b481909a738750f0d8b5ce48f36b65aae476cdd532d14e40dae6af647b20f6a57aed94dc7c9b93456cd4eb21

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
8456938cb093d7e56432b74f52f521dd

SHA1
b4b67221aef0fb08c5ac81545906f51e04533589

SHA256
62357e25ce63ea78a9fe47362235c9f028c4483b029d6a11c79624f2de40e8bf

SHA512
8b7ecec1ff7e67e5c5ce79f2fd7766ccd3798676a130fd2355073b55839b0750239dcf83aecbe6909ef5181103c4576f91c97630acc235c0a6d7983f9e7fc311

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
0ab0138860c11670e5a3bd4b88994884

SHA1
53135aa390cc029671df6b32c4983c409e392527

SHA256
395d295c584948fca23b6b786dc2da28cc7ed7df90553d12ef8fcd3f66fa91bb

SHA512
c0021d6ccfa7a26317b322c4ee78a5a80e895573c053299c32f8fc75da68bd952c81b6abb5487d16caa18bc384e4d12a7a1abe17f4994fa49f7fbf7aa3f2a304

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

Filesize
4.1MB

MD5
6262f03f5a3a93a62b260a056db22a70

SHA1
7ecddbba0b78be9731f524a96c8f95e6441119ce

SHA256
74666e8f5befe2e7e34978b8571797dbf8ea1379669afc33aec2cb31bd14fef8

SHA512
0d58b4024fd121e0c55b0c16f53c3c054db5419064d6c3d25ad00e29eb05316a7b9c8408f750a3f8229950b847a2b5a4eddd3a249e7499774d9a05d72e5af99e

Download Submit