f99f68c777cbc2584c3fb8347d41be2ce2575a8cb782f4e026e15bde0de23938

Analysis

max time kernel
150s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 21:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69fb4a3aebcbfeedd2513b69ef42b670_NeikiAnalytics.exe
Size

3.2MB
MD5

69fb4a3aebcbfeedd2513b69ef42b670
SHA1

3f38fe64336bbadc3b975bba0295fe31365cddbb
SHA256

f99f68c777cbc2584c3fb8347d41be2ce2575a8cb782f4e026e15bde0de23938
SHA512

4fb9c8df6f78d1d3c345cb80e9e66d65b577410205cefc386a1c50bfb7c1c54e965f43fe0b947bb2c8435625f8913fdec4e45f84f3ddb8b777974cbcd95a2cab
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp4bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe	69fb4a3aebcbfeedd2513b69ef42b670_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1060	ecadob.exe
64	devoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc2N\\devoptisys.exe"	69fb4a3aebcbfeedd2513b69ef42b670_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax15\\boddevec.exe"	69fb4a3aebcbfeedd2513b69ef42b670_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2656	69fb4a3aebcbfeedd2513b69ef42b670_NeikiAnalytics.exe
2656	69fb4a3aebcbfeedd2513b69ef42b670_NeikiAnalytics.exe
2656	69fb4a3aebcbfeedd2513b69ef42b670_NeikiAnalytics.exe
2656	69fb4a3aebcbfeedd2513b69ef42b670_NeikiAnalytics.exe
1060	ecadob.exe
1060	ecadob.exe
64	devoptisys.exe
64	devoptisys.exe
1060	ecadob.exe
1060	ecadob.exe
64	devoptisys.exe
64	devoptisys.exe
1060	ecadob.exe
1060	ecadob.exe
64	devoptisys.exe
64	devoptisys.exe
1060	ecadob.exe
1060	ecadob.exe
64	devoptisys.exe
64	devoptisys.exe
1060	ecadob.exe
1060	ecadob.exe
64	devoptisys.exe
64	devoptisys.exe
1060	ecadob.exe
1060	ecadob.exe
64	devoptisys.exe
64	devoptisys.exe
1060	ecadob.exe
1060	ecadob.exe
64	devoptisys.exe
64	devoptisys.exe
1060	ecadob.exe
1060	ecadob.exe
64	devoptisys.exe
64	devoptisys.exe
1060	ecadob.exe
1060	ecadob.exe
64	devoptisys.exe
64	devoptisys.exe
1060	ecadob.exe
1060	ecadob.exe
64	devoptisys.exe
64	devoptisys.exe
1060	ecadob.exe
1060	ecadob.exe
64	devoptisys.exe
64	devoptisys.exe
1060	ecadob.exe
1060	ecadob.exe
64	devoptisys.exe
64	devoptisys.exe
1060	ecadob.exe
1060	ecadob.exe
64	devoptisys.exe
64	devoptisys.exe
1060	ecadob.exe
1060	ecadob.exe
64	devoptisys.exe
64	devoptisys.exe
1060	ecadob.exe
1060	ecadob.exe
64	devoptisys.exe
64	devoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 1060	2656	69fb4a3aebcbfeedd2513b69ef42b670_NeikiAnalytics.exe	89
PID 2656 wrote to memory of 1060	2656	69fb4a3aebcbfeedd2513b69ef42b670_NeikiAnalytics.exe	89
PID 2656 wrote to memory of 1060	2656	69fb4a3aebcbfeedd2513b69ef42b670_NeikiAnalytics.exe	89
PID 2656 wrote to memory of 64	2656	69fb4a3aebcbfeedd2513b69ef42b670_NeikiAnalytics.exe	91
PID 2656 wrote to memory of 64	2656	69fb4a3aebcbfeedd2513b69ef42b670_NeikiAnalytics.exe	91
PID 2656 wrote to memory of 64	2656	69fb4a3aebcbfeedd2513b69ef42b670_NeikiAnalytics.exe	91

C:\Users\Admin\AppData\Local\Temp\69fb4a3aebcbfeedd2513b69ef42b670_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\69fb4a3aebcbfeedd2513b69ef42b670_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1060
- C:\Intelproc2N\devoptisys.exe
  C:\Intelproc2N\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:64

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax15\boddevec.exe

Filesize
3.2MB

MD5
7455c4d49a28f71e8b9ef4d0bc7da401

SHA1
82d3f3ec3f3242308fb0e39c980502789992209b

SHA256
13b67b939c485c43a06ba698ee3adf598268430896b4fba8383de642b9d2de8a

SHA512
80112735b5536d71432c9924b0094bc078ae17ddbf954f10d9a4f9873052ffac728f5d8bfb0d9a47e28d82f3de344167ea42fcaa3f09fd5051b31c5e7f9e2675

Download Submit
C:\Galax15\boddevec.exe

Filesize
3.2MB

MD5
0d23d7e661064497cb7fd66c9d156766

SHA1
8acf0d388119b6272e81095a2d67c2538f12f67d

SHA256
ad4cf3b8dcf28cb54b683c5e6896170434533094d2afe9f5f17bfe1f592d4ae3

SHA512
ae83d0d127126e1c850229b311c6ffa8771f076dd1e559912a6910da77edb613c10c33c8110297737ed5fa0b9465305ea17a60399e1c9a684f1551fa755cf41d

Download Submit
C:\Intelproc2N\devoptisys.exe

Filesize
3.2MB

MD5
5f73555d5825ab6a29dc67b762df60f4

SHA1
7a3be592fb1054b00ea41c31717cbecd6b74f8df

SHA256
d41abef56bf09ba20b864fd765b23a7e1e709c802d007952a3d2ca685f3389ad

SHA512
a93cffd94439710b6540f4e01e7aa615065369b8b711dcb424dd79e76b4eb2dae0e9c22d802ebba4aca9a9abda8c16437868a6cbf52f2107c934871d76a83dd8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
208B

MD5
dad9d8944835aad210d3f78616322ccb

SHA1
41ef7ccc6413995d2b0f4c11915dbaf836c5fcd4

SHA256
33f192a3176c41ff8d2de6c4f121fd2ac4da8e38cc89caccb1ec4d3b2b66afbe

SHA512
97be59999ad9a00e3f0a3f66432b7232ba85d351576e2d7dbf78f499164f003fb2fbcde9994707e27248263a414c18f5c4098f40c9c85039b46ca287c4418b74

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
176B

MD5
528cf5756d873cf82b92f12ae0944fcb

SHA1
f33f792d7acd5f6dc275665505b91643b6bceb0f

SHA256
bc7ae57e6f48f3e2cea6a3c52b9a533c52aa1582df36c288f2866eedee819ea2

SHA512
29513640aa16c5f09f5990a75ba07ac6942c82c9344bd743d5dba5ad1f6f0a6fe0d2441826502ca30819650afd4031c3e1bd9147c38137a31e531b63ea2d6c2c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

Filesize
3.2MB

MD5
0a6d33dc09a099fc8f1e7770fc42e1b3

SHA1
c812c561b16f32c07afe8ddf738de04d1cab1292

SHA256
b00132e9e7c1885129b383e8d1c7e89e4d9250311b0bed1b8d7bff7c7b144454

SHA512
fb56d98044e538afc9f98adb9c288f6072d9f5d542e9351750f1d586f57780152b5064d6423dac86d8a84bbff113e11d0f2c54254f91bed2b8e28fcd36a8a581

Download Submit