8d717947ef3ba6a5263d1669c23d50fbbb0ae8d0dedc0d788cc493c976a4999c

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4f8186bb1cb8baa32a3e15211c1ff00_NeikiAnalytics.exe
Size

3.6MB
MD5

a4f8186bb1cb8baa32a3e15211c1ff00
SHA1

f795b45887a1c54f3dd1995d34333c18b5d9df91
SHA256

8d717947ef3ba6a5263d1669c23d50fbbb0ae8d0dedc0d788cc493c976a4999c
SHA512

46c5bea7075bf7d42b1f3cfff0cf876c726f5844c84895dea02084a8a3b650f2a95342efd3d1431b946d969c5e0ff655148697d0075ee209f3c96376e77f2a58
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bSqz8:sxX7QnxrloE5dpUpSbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	a4f8186bb1cb8baa32a3e15211c1ff00_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
3500	ecdevbod.exe
3888	xdobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot2H\\xdobsys.exe"	a4f8186bb1cb8baa32a3e15211c1ff00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint8N\\optiasys.exe"	a4f8186bb1cb8baa32a3e15211c1ff00_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
652	a4f8186bb1cb8baa32a3e15211c1ff00_NeikiAnalytics.exe
652	a4f8186bb1cb8baa32a3e15211c1ff00_NeikiAnalytics.exe
652	a4f8186bb1cb8baa32a3e15211c1ff00_NeikiAnalytics.exe
652	a4f8186bb1cb8baa32a3e15211c1ff00_NeikiAnalytics.exe
3500	ecdevbod.exe
3500	ecdevbod.exe
3888	xdobsys.exe
3888	xdobsys.exe
3500	ecdevbod.exe
3500	ecdevbod.exe
3888	xdobsys.exe
3888	xdobsys.exe
3500	ecdevbod.exe
3500	ecdevbod.exe
3888	xdobsys.exe
3888	xdobsys.exe
3500	ecdevbod.exe
3500	ecdevbod.exe
3888	xdobsys.exe
3888	xdobsys.exe
3500	ecdevbod.exe
3500	ecdevbod.exe
3888	xdobsys.exe
3888	xdobsys.exe
3500	ecdevbod.exe
3500	ecdevbod.exe
3888	xdobsys.exe
3888	xdobsys.exe
3500	ecdevbod.exe
3500	ecdevbod.exe
3888	xdobsys.exe
3888	xdobsys.exe
3500	ecdevbod.exe
3500	ecdevbod.exe
3888	xdobsys.exe
3888	xdobsys.exe
3500	ecdevbod.exe
3500	ecdevbod.exe
3888	xdobsys.exe
3888	xdobsys.exe
3500	ecdevbod.exe
3500	ecdevbod.exe
3888	xdobsys.exe
3888	xdobsys.exe
3500	ecdevbod.exe
3500	ecdevbod.exe
3888	xdobsys.exe
3888	xdobsys.exe
3500	ecdevbod.exe
3500	ecdevbod.exe
3888	xdobsys.exe
3888	xdobsys.exe
3500	ecdevbod.exe
3500	ecdevbod.exe
3888	xdobsys.exe
3888	xdobsys.exe
3500	ecdevbod.exe
3500	ecdevbod.exe
3888	xdobsys.exe
3888	xdobsys.exe
3500	ecdevbod.exe
3500	ecdevbod.exe
3888	xdobsys.exe
3888	xdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 652 wrote to memory of 3500	652	a4f8186bb1cb8baa32a3e15211c1ff00_NeikiAnalytics.exe	86
PID 652 wrote to memory of 3500	652	a4f8186bb1cb8baa32a3e15211c1ff00_NeikiAnalytics.exe	86
PID 652 wrote to memory of 3500	652	a4f8186bb1cb8baa32a3e15211c1ff00_NeikiAnalytics.exe	86
PID 652 wrote to memory of 3888	652	a4f8186bb1cb8baa32a3e15211c1ff00_NeikiAnalytics.exe	88
PID 652 wrote to memory of 3888	652	a4f8186bb1cb8baa32a3e15211c1ff00_NeikiAnalytics.exe	88
PID 652 wrote to memory of 3888	652	a4f8186bb1cb8baa32a3e15211c1ff00_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\a4f8186bb1cb8baa32a3e15211c1ff00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a4f8186bb1cb8baa32a3e15211c1ff00_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:652
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3500
- C:\UserDot2H\xdobsys.exe
  C:\UserDot2H\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint8N\optiasys.exe

Filesize
3.6MB

MD5
641d94e1cb2d148f542d30b7a05ff95c

SHA1
1ccc2614acbdbee038c6877a712297a21aa39282

SHA256
6be5ff425eed0b679a7157288d1ebb281c5b44f435aee75e1509377b100f96b8

SHA512
c92685606d69cae8db2f0c5e6f600973d2f714a611d296dd1c6ea585778c2efcad21bae6ab51295c44b64ce198e7cd859a0c00994dd23169dc32a6af601d295e

Download Submit
C:\Mint8N\optiasys.exe

Filesize
3.6MB

MD5
50a4bc9ea5aa1a589ed3fa4ac737aa2a

SHA1
1bd31260e815a161639fa360380a9008c18f18f9

SHA256
f6cefae09c1b5f0a7675ec04352df0bc440aec3d506a23a87df45b108f87a9be

SHA512
f5b5ba136db70860a7601c78e9a44fa96635e6c15c6e017abc194c7a010bba47dbcc4feef9bb4a12292c78ffcf26e55e82c28f067f57ea1533f8dce3f6c6fbf0

Download Submit
C:\UserDot2H\xdobsys.exe

Filesize
1.6MB

MD5
a1c5a9c6f24f1edb04a9540a1c743ba7

SHA1
066ff9c714a8c5d329992b75b8c7e0172bbe5dcd

SHA256
f873e597a02494db72658def2624f783c84502e33a37e780c71c728b3efe136f

SHA512
9a0cbc0a1f8b98288d31b7972f0ea7cc4110168f29508e2b29901c7625c040bceb05b50a88532fe6a5292836a94d52dbdd97b1ce58c4bc1f89359925b4702a89

Download Submit
C:\UserDot2H\xdobsys.exe

Filesize
3.6MB

MD5
df19ef44862c4d035125d764e5c542f6

SHA1
6a1d612332d3a3132afb177ca65dfe9fda5fdf0f

SHA256
9e53437aaaeffea12ce21a1d031ee921007fec6aecfccb215adcd7e3ccae05bb

SHA512
6ec032dba903c8d0369b4c88cbe78ea4b62750ffc8478fdb0723983a92f4aa579d2c4414a2cb9f4b2e683930eaf94635287b1556fad16f16543bb84cd50b6a0f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
1e036fb3455ebe8eec334aa981e15804

SHA1
ffdf2cb534d27f451dfe0204bc63431e64e187ff

SHA256
815cb7f48d04f47005e0cee5e62ec289e15361ec83b300e3ddac592e0a53d684

SHA512
77550e57825000d0fad1279c661a856ead6faa6eaaf8dbfaca39e6410f36169e704d708f5836c65f062ff5c6ab2f665881e48ee0a6cabb133b249d7eb2d87519

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
c03fbeac963e37094dadd39450faafd1

SHA1
fae47d7e67cd6ffbace44d28893693673a2c7528

SHA256
1911ae819a5f698c52bc544104ab60cd2c3da2d898862650943112d8ca9fa0b4

SHA512
ccac784550b3ca5481f2b3a31c561da827eb6e9b889770df12a93e85eba66e49de967524acc625f5b3a1685cf40e58ff2fee06b0674558459362c5e97756072f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
3.6MB

MD5
5f2b0d4c8ed588cc6c683e41f5078f82

SHA1
1e86bb53f6ccf94b012accce65269caf91b58c16

SHA256
ae8ebefe766265df250d29cad6a4ad92d3404d2005be0c30576c7ebaa6aa4196

SHA512
564a745fb414f1fbf8351c6435085e530730d286d8b3d131f01b752d639be7d61f2d3c4037f132cc3c4e73d91d4dffb4c377a4157d6b2bfb5dd9011236bafb9a

Download Submit