52cff195f86ab7cf5370dd0ce5a00dc8422189cfbbe874ce44593f0410879d8b

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-06-2024 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

916b2011ee81a7896890d82dbf803020_NeikiAnalytics.exe
Size

3.2MB
MD5

916b2011ee81a7896890d82dbf803020
SHA1

e5c9530aafd32d5c1645c3b56a0b4c6a96a6a38f
SHA256

52cff195f86ab7cf5370dd0ce5a00dc8422189cfbbe874ce44593f0410879d8b
SHA512

1abf6701b8008415ec852f27f30ddb91eb1309b65bca9af05438ed5d83d1c3c321e8dc0704b785acf5236c64b80647d0601da23379dba023563d76142fe85289
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp6bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	916b2011ee81a7896890d82dbf803020_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1564	ecdevdob.exe
2856	abodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
1888	916b2011ee81a7896890d82dbf803020_NeikiAnalytics.exe
1888	916b2011ee81a7896890d82dbf803020_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocZU\\abodsys.exe"	916b2011ee81a7896890d82dbf803020_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZCE\\optiasys.exe"	916b2011ee81a7896890d82dbf803020_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1888	916b2011ee81a7896890d82dbf803020_NeikiAnalytics.exe
1888	916b2011ee81a7896890d82dbf803020_NeikiAnalytics.exe
1564	ecdevdob.exe
2856	abodsys.exe
1564	ecdevdob.exe
2856	abodsys.exe
1564	ecdevdob.exe
2856	abodsys.exe
1564	ecdevdob.exe
2856	abodsys.exe
1564	ecdevdob.exe
2856	abodsys.exe
1564	ecdevdob.exe
2856	abodsys.exe
1564	ecdevdob.exe
2856	abodsys.exe
1564	ecdevdob.exe
2856	abodsys.exe
1564	ecdevdob.exe
2856	abodsys.exe
1564	ecdevdob.exe
2856	abodsys.exe
1564	ecdevdob.exe
2856	abodsys.exe
1564	ecdevdob.exe
2856	abodsys.exe
1564	ecdevdob.exe
2856	abodsys.exe
1564	ecdevdob.exe
2856	abodsys.exe
1564	ecdevdob.exe
2856	abodsys.exe
1564	ecdevdob.exe
2856	abodsys.exe
1564	ecdevdob.exe
2856	abodsys.exe
1564	ecdevdob.exe
2856	abodsys.exe
1564	ecdevdob.exe
2856	abodsys.exe
1564	ecdevdob.exe
2856	abodsys.exe
1564	ecdevdob.exe
2856	abodsys.exe
1564	ecdevdob.exe
2856	abodsys.exe
1564	ecdevdob.exe
2856	abodsys.exe
1564	ecdevdob.exe
2856	abodsys.exe
1564	ecdevdob.exe
2856	abodsys.exe
1564	ecdevdob.exe
2856	abodsys.exe
1564	ecdevdob.exe
2856	abodsys.exe
1564	ecdevdob.exe
2856	abodsys.exe
1564	ecdevdob.exe
2856	abodsys.exe
1564	ecdevdob.exe
2856	abodsys.exe
1564	ecdevdob.exe
2856	abodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 1564	1888	916b2011ee81a7896890d82dbf803020_NeikiAnalytics.exe	28
PID 1888 wrote to memory of 1564	1888	916b2011ee81a7896890d82dbf803020_NeikiAnalytics.exe	28
PID 1888 wrote to memory of 1564	1888	916b2011ee81a7896890d82dbf803020_NeikiAnalytics.exe	28
PID 1888 wrote to memory of 1564	1888	916b2011ee81a7896890d82dbf803020_NeikiAnalytics.exe	28
PID 1888 wrote to memory of 2856	1888	916b2011ee81a7896890d82dbf803020_NeikiAnalytics.exe	29
PID 1888 wrote to memory of 2856	1888	916b2011ee81a7896890d82dbf803020_NeikiAnalytics.exe	29
PID 1888 wrote to memory of 2856	1888	916b2011ee81a7896890d82dbf803020_NeikiAnalytics.exe	29
PID 1888 wrote to memory of 2856	1888	916b2011ee81a7896890d82dbf803020_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\916b2011ee81a7896890d82dbf803020_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\916b2011ee81a7896890d82dbf803020_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1564
- C:\IntelprocZU\abodsys.exe
  C:\IntelprocZU\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocZU\abodsys.exe

Filesize
3.2MB

MD5
438ad848dbe7c72551cfb4956a1cc395

SHA1
23324fcbc3b340f364318c48dc5f4816ab5c6fa0

SHA256
d6797ca24f3d6ef0ec5af2bceb208ff08b9f8692842e8027895c8d17adcc2190

SHA512
2e1a1b85f386b776da4810e858f00cd78010a15ec50d4b4605e87b74851b83aa7a6ed5e852939503071b2e8498c7e885b27bf7ad3305c7a60caee03bf028474b

Download Submit
C:\LabZCE\optiasys.exe

Filesize
1.7MB

MD5
cdd97b53b5ff1c4c91ddadde33a72d19

SHA1
e874795b48a2225d7a2708576fd4d0606378c736

SHA256
438c7c7dea5c73e6703f67772e6ae3226277177616fe6469e4a85d7a37eb1fde

SHA512
e74bbb0f1a6c70a85e4a19f9210eb0a23ba0e66948a6e4ed7d84876eb2015b382eddbad1ef6992eb2581bd54de559a61e47b322cd032e848d367ac45a3f59cc0

Download Submit
C:\LabZCE\optiasys.exe

Filesize
3.2MB

MD5
9db34c766ead072c03d6a035412b1f26

SHA1
c62b16a714ccdf108599299e071a4891976edbe7

SHA256
eac3351dd96fbea6bb1528ed83ac1b439aee256ae2bfe0c52a4f26c4e673ad53

SHA512
a21cb17927dc16f8b330e328615a6665e65c1cf7e8f55a9c47f6fb77a77fe6fafa9c0bd2902fba3a6f56ae575a6b388af1a856d89c900b9089692c1ec88c0311

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
1e5ea185ff0c545629e5deaf7a8e0c28

SHA1
86ee7d6e9333e75f37d8e28f11a7e2710e5e8c66

SHA256
dec6a7d7ff385799ddb57217095c1f61bee8cce35249f3d17a69416344520bd5

SHA512
abafcf62a9329458bafe8938b2a06b3b455be9c890560477b4628e8e2b3b905cbe07993f54504a406998ec4fc00efbed9909e8037f62c2fe1110ad941a07df21

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
905315ef3740bed89b8c3698ff1729ba

SHA1
407fb609128660ee0e839578826ffcf9b7507e91

SHA256
50e5e5f01e77aa8ee63d6ea7b8a63af5535c03f25139934c19fd0e529cc00dbc

SHA512
46a9b3ba7ecd9451cae683ea757b79c6ec89c7dec5c4b1257523cd6ba6d8054af76efe77a46f8beafc6ad64533077be89030830a6e0c71d06ff25b9813bdc78e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
3.2MB

MD5
5e048e0797dd9b1ef5133193267ffce0

SHA1
9e7af06825dabd00ade8ebf83195af93df19df7d

SHA256
3608adaedd79fbc8478fe3e8a02dd46fd7dae1fda43f506fb31d05188137ffda

SHA512
d763ba942a87e76835ccbd12c87d4d987c289b573f7f539ce3c4931697683d8a93acc973fb5605af3d517af1f820a184ec20e98da271cffdd6bcdc3f27a1e2cf

Download Submit