a7d5c67b4394e0a303e8741e27cfb10f07e5428aac862fd313083ade8eafafce

Analysis

max time kernel
150s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 16:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fe0671204c9ed432322b4fec02ecd1d0_NeikiAnalytics.exe
Size

3.6MB
MD5

fe0671204c9ed432322b4fec02ecd1d0
SHA1

424c846d17d4bacbe303e99bc35eb8cfb715be34
SHA256

a7d5c67b4394e0a303e8741e27cfb10f07e5428aac862fd313083ade8eafafce
SHA512

9782c6ef016f51bbe9fd375679745b143c4a867879db019ad305fb48a2d14381908aef08e68ba74d964be03e83c8ad19c40222db78a07910e6cae3893438d6fe
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpTbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	fe0671204c9ed432322b4fec02ecd1d0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2988	ecdevbod.exe
2844	devoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc8K\\devoptisys.exe"	fe0671204c9ed432322b4fec02ecd1d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBME\\optidevloc.exe"	fe0671204c9ed432322b4fec02ecd1d0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4060	fe0671204c9ed432322b4fec02ecd1d0_NeikiAnalytics.exe
4060	fe0671204c9ed432322b4fec02ecd1d0_NeikiAnalytics.exe
4060	fe0671204c9ed432322b4fec02ecd1d0_NeikiAnalytics.exe
4060	fe0671204c9ed432322b4fec02ecd1d0_NeikiAnalytics.exe
2988	ecdevbod.exe
2988	ecdevbod.exe
2844	devoptisys.exe
2844	devoptisys.exe
2988	ecdevbod.exe
2988	ecdevbod.exe
2844	devoptisys.exe
2844	devoptisys.exe
2988	ecdevbod.exe
2988	ecdevbod.exe
2844	devoptisys.exe
2844	devoptisys.exe
2988	ecdevbod.exe
2988	ecdevbod.exe
2844	devoptisys.exe
2844	devoptisys.exe
2988	ecdevbod.exe
2988	ecdevbod.exe
2844	devoptisys.exe
2844	devoptisys.exe
2988	ecdevbod.exe
2988	ecdevbod.exe
2844	devoptisys.exe
2844	devoptisys.exe
2988	ecdevbod.exe
2988	ecdevbod.exe
2844	devoptisys.exe
2844	devoptisys.exe
2988	ecdevbod.exe
2988	ecdevbod.exe
2844	devoptisys.exe
2844	devoptisys.exe
2988	ecdevbod.exe
2988	ecdevbod.exe
2844	devoptisys.exe
2844	devoptisys.exe
2988	ecdevbod.exe
2988	ecdevbod.exe
2844	devoptisys.exe
2844	devoptisys.exe
2988	ecdevbod.exe
2988	ecdevbod.exe
2844	devoptisys.exe
2844	devoptisys.exe
2988	ecdevbod.exe
2988	ecdevbod.exe
2844	devoptisys.exe
2844	devoptisys.exe
2988	ecdevbod.exe
2988	ecdevbod.exe
2844	devoptisys.exe
2844	devoptisys.exe
2988	ecdevbod.exe
2988	ecdevbod.exe
2844	devoptisys.exe
2844	devoptisys.exe
2988	ecdevbod.exe
2988	ecdevbod.exe
2844	devoptisys.exe
2844	devoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 2988	4060	fe0671204c9ed432322b4fec02ecd1d0_NeikiAnalytics.exe	84
PID 4060 wrote to memory of 2988	4060	fe0671204c9ed432322b4fec02ecd1d0_NeikiAnalytics.exe	84
PID 4060 wrote to memory of 2988	4060	fe0671204c9ed432322b4fec02ecd1d0_NeikiAnalytics.exe	84
PID 4060 wrote to memory of 2844	4060	fe0671204c9ed432322b4fec02ecd1d0_NeikiAnalytics.exe	85
PID 4060 wrote to memory of 2844	4060	fe0671204c9ed432322b4fec02ecd1d0_NeikiAnalytics.exe	85
PID 4060 wrote to memory of 2844	4060	fe0671204c9ed432322b4fec02ecd1d0_NeikiAnalytics.exe	85

C:\Users\Admin\AppData\Local\Temp\fe0671204c9ed432322b4fec02ecd1d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\fe0671204c9ed432322b4fec02ecd1d0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2988
- C:\Intelproc8K\devoptisys.exe
  C:\Intelproc8K\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc8K\devoptisys.exe

Filesize
793KB

MD5
cdec12451392336f5fd6f3b313a0cf6b

SHA1
31eedafc619de02225bd437b509155822f74a29f

SHA256
5d010e8ab2a7657e4e99a7bb3e818d83b13de5df9087b6a9e4ff909ec0705c62

SHA512
b78d15ce441a53e7a515146a30f3108c5335ce27e9cc211055607f28c8fd09f1e5898bf6d4887e2ebe2b2249fe2c3120766593e17a15b96e8afde4e4c43fa503

Download Submit
C:\Intelproc8K\devoptisys.exe

Filesize
3.6MB

MD5
32b479b750142b354a17f456ca4f509a

SHA1
6a8e57c14a6381ffd4b00c400f6caa934b8ffde1

SHA256
fd25a6d3e37000991219c9b95cc42d4c5b1a9507833cb2402c6d5b9c8b1bac3e

SHA512
ea4bbd1b456a3253e5abec26f2edce6ea254f70dfdc8606cb3c1d3f047b8c798f6ae0b225d17852435ecb141d48851333e2a54b2522345d4f52330764b25f791

Download Submit
C:\KaVBME\optidevloc.exe

Filesize
3.6MB

MD5
fdb4e817652715560956d6f54b24a6b5

SHA1
72b25191763d3ad6c1679da0650c8e9c09a451e7

SHA256
1f6db974baf7c03d4e1c27f6820bbe973118f209fc98d9b9c615f1091b772cc4

SHA512
d92d614162b2640477515f62d7e82b839f33cc7e6b43b5019ef7262b32b14ef5afcad12ef70fd27a22d527301dc7e72d44de528655cd03b76976ee6f1756a6c4

Download Submit
C:\KaVBME\optidevloc.exe

Filesize
10KB

MD5
1b916c50de9513bd35995ff6e69aef92

SHA1
52937fef400b241d4a8b1ddd227652b7c677d4bb

SHA256
87b86902356dc8919842b25007d34f46886d02128a2a02cb251d67dde3bccbe0

SHA512
7d45f793fac4540d35fd63f20caf5172cb11727e67a9016311072bbe1de9cbfac63ba2f8cb9bc93bb3b067ce7a65d0ee23b7d88fc199ffd6728e49343007d85e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
211B

MD5
2375a7d8cf510d103f53d874fe780abf

SHA1
e624657ced77bc0a71313a20d5797f669e214299

SHA256
07f8d85da7ef9c63f8b462470d7bd46adea2dfb9e985dddcf0b79f97af484282

SHA512
b33dd6f1233d764d916c387ab8d491d196ad9fe593fac780f07375ff81d1b3de47491c36365353e2901ca64d4b465ab0988391454b8394161b9428be0482ba14

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
179B

MD5
ce3dad3d22aee83ae8758a6c04d7a72d

SHA1
635862986d79f460fb22fece58bbfbea27718935

SHA256
3af4be897af4f061081c153cbbde783e3dc530c72459c21bc44dfa66fa44fe0a

SHA512
25b8d9fc5c64984d815c4f82a6393d31243da334790f626b851a9389b59126388350978260b4a0d47a2bf966a3ec922fe42f58ad6863d5df49caa0e788c1a22a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
3.6MB

MD5
28b3a5480999c2041ef15d3e8dfcc19d

SHA1
57d35d9a93219872f6d6433c538057e3a234330e

SHA256
a8057788e210e4ff12f874e93691e9db6d50db7fc483dd2d09c51c89aef8136a

SHA512
211229b9983fe00cf88afd4e50dc335c180f901074c36f4369c9f59b85d2af205529ff51c3c68d41f4fdaa0a7000bd257fdf89ae821848be8708743e79253e16

Download Submit