f932706daa89e5ff3cb5d2a3fa1ae5c1b9c9aa08af6161cd28bf59a82577d1af

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02/06/2024, 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2aae35b1b8481eec3256b642ef6fc180_NeikiAnalytics.exe
Size

3.0MB
MD5

2aae35b1b8481eec3256b642ef6fc180
SHA1

14259d5ce0edafa907e2deac16ecdc954ca17dfc
SHA256

f932706daa89e5ff3cb5d2a3fa1ae5c1b9c9aa08af6161cd28bf59a82577d1af
SHA512

01c6cf364ee531674866a99e490eb3b06e627b93587ca82b79cfa47ea27635f3ff355e3777f0a4bc19fe147ceb6108eede23876677b296b6dc8a7b983206d07b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bSqz8b6LNX:sxX7QnxrloE5dpUpQbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	2aae35b1b8481eec3256b642ef6fc180_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2296	ecxopti.exe
2792	xdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2864	2aae35b1b8481eec3256b642ef6fc180_NeikiAnalytics.exe
2864	2aae35b1b8481eec3256b642ef6fc180_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesL3\\xdobsys.exe"	2aae35b1b8481eec3256b642ef6fc180_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBYY\\optidevloc.exe"	2aae35b1b8481eec3256b642ef6fc180_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2864	2aae35b1b8481eec3256b642ef6fc180_NeikiAnalytics.exe
2864	2aae35b1b8481eec3256b642ef6fc180_NeikiAnalytics.exe
2296	ecxopti.exe
2792	xdobsys.exe
2296	ecxopti.exe
2792	xdobsys.exe
2296	ecxopti.exe
2792	xdobsys.exe
2296	ecxopti.exe
2792	xdobsys.exe
2296	ecxopti.exe
2792	xdobsys.exe
2296	ecxopti.exe
2792	xdobsys.exe
2296	ecxopti.exe
2792	xdobsys.exe
2296	ecxopti.exe
2792	xdobsys.exe
2296	ecxopti.exe
2792	xdobsys.exe
2296	ecxopti.exe
2792	xdobsys.exe
2296	ecxopti.exe
2792	xdobsys.exe
2296	ecxopti.exe
2792	xdobsys.exe
2296	ecxopti.exe
2792	xdobsys.exe
2296	ecxopti.exe
2792	xdobsys.exe
2296	ecxopti.exe
2792	xdobsys.exe
2296	ecxopti.exe
2792	xdobsys.exe
2296	ecxopti.exe
2792	xdobsys.exe
2296	ecxopti.exe
2792	xdobsys.exe
2296	ecxopti.exe
2792	xdobsys.exe
2296	ecxopti.exe
2792	xdobsys.exe
2296	ecxopti.exe
2792	xdobsys.exe
2296	ecxopti.exe
2792	xdobsys.exe
2296	ecxopti.exe
2792	xdobsys.exe
2296	ecxopti.exe
2792	xdobsys.exe
2296	ecxopti.exe
2792	xdobsys.exe
2296	ecxopti.exe
2792	xdobsys.exe
2296	ecxopti.exe
2792	xdobsys.exe
2296	ecxopti.exe
2792	xdobsys.exe
2296	ecxopti.exe
2792	xdobsys.exe
2296	ecxopti.exe
2792	xdobsys.exe
2296	ecxopti.exe
2792	xdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2296	2864	2aae35b1b8481eec3256b642ef6fc180_NeikiAnalytics.exe	28
PID 2864 wrote to memory of 2296	2864	2aae35b1b8481eec3256b642ef6fc180_NeikiAnalytics.exe	28
PID 2864 wrote to memory of 2296	2864	2aae35b1b8481eec3256b642ef6fc180_NeikiAnalytics.exe	28
PID 2864 wrote to memory of 2296	2864	2aae35b1b8481eec3256b642ef6fc180_NeikiAnalytics.exe	28
PID 2864 wrote to memory of 2792	2864	2aae35b1b8481eec3256b642ef6fc180_NeikiAnalytics.exe	29
PID 2864 wrote to memory of 2792	2864	2aae35b1b8481eec3256b642ef6fc180_NeikiAnalytics.exe	29
PID 2864 wrote to memory of 2792	2864	2aae35b1b8481eec3256b642ef6fc180_NeikiAnalytics.exe	29
PID 2864 wrote to memory of 2792	2864	2aae35b1b8481eec3256b642ef6fc180_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\2aae35b1b8481eec3256b642ef6fc180_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2aae35b1b8481eec3256b642ef6fc180_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2296
- C:\FilesL3\xdobsys.exe
  C:\FilesL3\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesL3\xdobsys.exe

Filesize
3.0MB

MD5
f288bc9836c2ec422f484841fc7e9dde

SHA1
1f92e3d64f191b7eb5771c1557e1e9a7c93cc305

SHA256
a2a21f33fe6f896ca55120ff94ca91dc5b86f2adbade65d727bc7e2e57363da6

SHA512
6705c8473719e3c8d1175cbef5e047c7de9bbed4a937bf8147be8d87df7d2630867ca1b5b80745515058848d13e359bf65bf597bdb23771785b181ea45e63784

Download Submit
C:\KaVBYY\optidevloc.exe

Filesize
3.0MB

MD5
e52d9b6c42aff856477c19bb5e806c53

SHA1
c1d9c0601c0d5fbdec7f4629f2bd902ae0e3e0f7

SHA256
ef78ec26d848aeed3b3d2d20011ec3de0462acae81e300e7b7ea9fdd71e5fda4

SHA512
642feaead3af9496a5b5df83926464ee5ee99979fa0c3e6792944dc43b57a0271d698de5b9a9ee945b3ee585df0a999273c4b047623b6427fceec6919bccd455

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
24d12a81a8f11490ab90b4c57d7de648

SHA1
f696c9783c1bc62ecdb06f394084696d80cec816

SHA256
f3c72f4f05ec899af7c5f74b02f7097958d71850f4311067f08382bdb6f7aa9a

SHA512
7cf07d5c4243ec7cea4b3e788a8cc071382cd1768bfb756a8a592684b77097136ab46f2a265b0c4e0d95fbe0825edd43eb36cbb58990341cf04ac68be25a5699

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
f006ca6093de13bc8c90fb41a1e9057e

SHA1
1248c4a4e5f0324524d2efb876f7d82d0ace7100

SHA256
72b64e93d181ae40940b35594d467adf5eb2e3e7470e440d0dd2b0a3b6947506

SHA512
f979bc1ba84d144f1724d7124a07e7a6e41705e00a4545e3247abbb604e808f3bf5f2566baf30138ca9931c3d44a7f805ea0df376a09564d37e898cb932153aa

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
3.0MB

MD5
87f84b0ba6f1591e98160d31b18ffead

SHA1
c234724fc1fc5657706f5474a124e2f6f66e87b8

SHA256
81833af8728c674564c2e10c8d329b41e2891d0255e92babc769a15717f9855a

SHA512
07c9d3ef8a0036665333504e40ae5fd92916e2c716f865d81dc33b57367e0a9599c96d25dd5990c692a15c19359d31491be4da2a20bf919a181b4a60781f44b3

Download Submit