7b13a2075849e5a28074722fea59e3a2c248450a91a8c9b84aae3af89a555feb

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46f13e0b1468d754daf4f63856896730_NeikiAnalytics.exe
Size

3.2MB
MD5

46f13e0b1468d754daf4f63856896730
SHA1

eb1c9ba9b0eb335ebb0d6c86490976e49d059f78
SHA256

7b13a2075849e5a28074722fea59e3a2c248450a91a8c9b84aae3af89a555feb
SHA512

f14032702a2a338cca5b426d72449d22b45d248bbca20e687b3b74ec7282f0f47807b4850293599fcea7e61f3ca7a760d534e691a4f299e7b90bee3763c92600
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpmbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	46f13e0b1468d754daf4f63856896730_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
3544	locadob.exe
4968	devoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocZL\\devoptiec.exe"	46f13e0b1468d754daf4f63856896730_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBVC\\boddevec.exe"	46f13e0b1468d754daf4f63856896730_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
880	46f13e0b1468d754daf4f63856896730_NeikiAnalytics.exe
880	46f13e0b1468d754daf4f63856896730_NeikiAnalytics.exe
880	46f13e0b1468d754daf4f63856896730_NeikiAnalytics.exe
880	46f13e0b1468d754daf4f63856896730_NeikiAnalytics.exe
3544	locadob.exe
3544	locadob.exe
4968	devoptiec.exe
4968	devoptiec.exe
3544	locadob.exe
3544	locadob.exe
4968	devoptiec.exe
4968	devoptiec.exe
3544	locadob.exe
3544	locadob.exe
4968	devoptiec.exe
4968	devoptiec.exe
3544	locadob.exe
3544	locadob.exe
4968	devoptiec.exe
4968	devoptiec.exe
3544	locadob.exe
3544	locadob.exe
4968	devoptiec.exe
4968	devoptiec.exe
3544	locadob.exe
3544	locadob.exe
4968	devoptiec.exe
4968	devoptiec.exe
3544	locadob.exe
3544	locadob.exe
4968	devoptiec.exe
4968	devoptiec.exe
3544	locadob.exe
3544	locadob.exe
4968	devoptiec.exe
4968	devoptiec.exe
3544	locadob.exe
3544	locadob.exe
4968	devoptiec.exe
4968	devoptiec.exe
3544	locadob.exe
3544	locadob.exe
4968	devoptiec.exe
4968	devoptiec.exe
3544	locadob.exe
3544	locadob.exe
4968	devoptiec.exe
4968	devoptiec.exe
3544	locadob.exe
3544	locadob.exe
4968	devoptiec.exe
4968	devoptiec.exe
3544	locadob.exe
3544	locadob.exe
4968	devoptiec.exe
4968	devoptiec.exe
3544	locadob.exe
3544	locadob.exe
4968	devoptiec.exe
4968	devoptiec.exe
3544	locadob.exe
3544	locadob.exe
4968	devoptiec.exe
4968	devoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 3544	880	46f13e0b1468d754daf4f63856896730_NeikiAnalytics.exe	85
PID 880 wrote to memory of 3544	880	46f13e0b1468d754daf4f63856896730_NeikiAnalytics.exe	85
PID 880 wrote to memory of 3544	880	46f13e0b1468d754daf4f63856896730_NeikiAnalytics.exe	85
PID 880 wrote to memory of 4968	880	46f13e0b1468d754daf4f63856896730_NeikiAnalytics.exe	86
PID 880 wrote to memory of 4968	880	46f13e0b1468d754daf4f63856896730_NeikiAnalytics.exe	86
PID 880 wrote to memory of 4968	880	46f13e0b1468d754daf4f63856896730_NeikiAnalytics.exe	86

C:\Users\Admin\AppData\Local\Temp\46f13e0b1468d754daf4f63856896730_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\46f13e0b1468d754daf4f63856896730_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:880
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3544
- C:\IntelprocZL\devoptiec.exe
  C:\IntelprocZL\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocZL\devoptiec.exe

Filesize
250KB

MD5
5057ff72e3b532db42954335117fa7d1

SHA1
04d303347c22729c2ee291005d466c1523d53077

SHA256
e3508bd87b9588bc8c0598f980202da0232a5d1186ec2664976fc29570c945c5

SHA512
b9ef074c8b6a644bc20beeccb93633c4993b44e9b3300428db0649513e11be2e5ef357ff056ab26e3656296034b5fe34d4895a4e1d7da1c34391a5d083322780

Download Submit
C:\IntelprocZL\devoptiec.exe

Filesize
3.2MB

MD5
d915384b22ab750c59fdeb74b68cfcc2

SHA1
b3349d70dbb94f10ca79fd8624f9013e3aa27edc

SHA256
ebac14ffbf7310e1102ffcf21bfd16826ca0f1185812febc590f60196310c4a1

SHA512
455de492b12b6b79c9f8b7ef4bc104dbd4ad007585a81c1f630e2c34fa87ca6a9cf905d2b58275afc883d66ce9850254f48ac8d082d6a63becc97c4ff2d63ebb

Download Submit
C:\KaVBVC\boddevec.exe

Filesize
413KB

MD5
d76444af4c63a2640005c126640b5bd4

SHA1
6986335dedd65200ef4b953288645d2c7f5ed0ae

SHA256
fdabcdd85c37ca5d2f44e5cbaf307ac76d35ec8019156208b6089cb51c8f6711

SHA512
f6e1f9063d42f6d3875c18e569f0832e03231ebf7378e8a5fd06e23f5e0a4e1eff1b01d63df23727bd9d9d9dff375210ba12b98865a47e226c4b3c4deacd9386

Download Submit
C:\KaVBVC\boddevec.exe

Filesize
634KB

MD5
f00d88bb3780f77e5df71bd5c4d93398

SHA1
c90ecc69cddb3aa0462f7d00faf802da3b00472a

SHA256
19a18cf7ebbe5eb79e428fc9278848e1df354de91c6b427ea2d8287be15c19af

SHA512
1a3b6ef5b93f8e40b1c730e53b573c700dc929b4d685774ad47b355e1de23341de4ef9297bf6657c2d3601b58cb46fd9a973fdd310c39a3f1761c21faf088e8c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
643b7f226d7b2162e4137b1962e056d5

SHA1
271d7a4eb9bc9bc1004ece9ddbf8de8edfcb7994

SHA256
62eb76b1b0c4d91f34d74c00db22251bb53363ebe154623eeff9f89f21b2f9f0

SHA512
35e359095ea7e4c9e6e0fcb9cf907ede880353a1d9540c7f2f1bf5f396112ddbb3efa0f8e74667797f0a0afc8437ffe58f26d32cbc11409d2723a7ba7e2946c1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
175B

MD5
0071461a511a5cff716205f2bf1f646e

SHA1
eceb70272750a7eedea57be5b31b14e46323e203

SHA256
ec07d2a80cc8f51cbd462c1baf93d0b9b57502fd96dfa82457559937771b0aa7

SHA512
4f425e0f779e5cf4329156e03eb1e24c1c17da4a2e819870fdadcb67041f9b3e7b88c1b4cd920163fa3d1d2e37181450794af6458d94eaba4058a3748698a8ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
3.2MB

MD5
8410e27e612d5353d6adc6530ee511b6

SHA1
2fcf023878db23f6616991f0d0d229c267d86036

SHA256
c32730d3293f35b5dd6bdb1a71903c929d5b36d2bee0ce886f81a1dedb8830c9

SHA512
ac7d3fa9bd9f8303782ac024969929bf9ce841e311ff6c56efeae4f6b48cd0d157d688eec67cbd8d2b784af8fdceff54a12f350d42f37f87e535dd21a3085f1c

Download Submit