473c62e0e48cb76a573436ee869ee0a0c768d3a730ffe0d95447a2a180d458fa

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
03-06-2024 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a0756aa51b0881347cff5e93276fa10_NeikiAnalytics.exe
Size

3.0MB
MD5

4a0756aa51b0881347cff5e93276fa10
SHA1

90cf9e83acb2d9fa910a2d6cb53668de5ff1f538
SHA256

473c62e0e48cb76a573436ee869ee0a0c768d3a730ffe0d95447a2a180d458fa
SHA512

5db856e61c61371d332b3ddf34876218e33905af7885ef4cc7b225f7d1e5ed61b43e4aa219a42dfd5d2e5b0ad2f27ee860414bc384109f4c9e3f7a265312581c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bSqz8b6LNX:sxX7QnxrloE5dpUplbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	4a0756aa51b0881347cff5e93276fa10_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1196	ecabod.exe
1704	xoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
624	4a0756aa51b0881347cff5e93276fa10_NeikiAnalytics.exe
624	4a0756aa51b0881347cff5e93276fa10_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBQQ\\dobaloc.exe"	4a0756aa51b0881347cff5e93276fa10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotDT\\xoptisys.exe"	4a0756aa51b0881347cff5e93276fa10_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
624	4a0756aa51b0881347cff5e93276fa10_NeikiAnalytics.exe
624	4a0756aa51b0881347cff5e93276fa10_NeikiAnalytics.exe
1196	ecabod.exe
1704	xoptisys.exe
1196	ecabod.exe
1704	xoptisys.exe
1196	ecabod.exe
1704	xoptisys.exe
1196	ecabod.exe
1704	xoptisys.exe
1196	ecabod.exe
1704	xoptisys.exe
1196	ecabod.exe
1704	xoptisys.exe
1196	ecabod.exe
1704	xoptisys.exe
1196	ecabod.exe
1704	xoptisys.exe
1196	ecabod.exe
1704	xoptisys.exe
1196	ecabod.exe
1704	xoptisys.exe
1196	ecabod.exe
1704	xoptisys.exe
1196	ecabod.exe
1704	xoptisys.exe
1196	ecabod.exe
1704	xoptisys.exe
1196	ecabod.exe
1704	xoptisys.exe
1196	ecabod.exe
1704	xoptisys.exe
1196	ecabod.exe
1704	xoptisys.exe
1196	ecabod.exe
1704	xoptisys.exe
1196	ecabod.exe
1704	xoptisys.exe
1196	ecabod.exe
1704	xoptisys.exe
1196	ecabod.exe
1704	xoptisys.exe
1196	ecabod.exe
1704	xoptisys.exe
1196	ecabod.exe
1704	xoptisys.exe
1196	ecabod.exe
1704	xoptisys.exe
1196	ecabod.exe
1704	xoptisys.exe
1196	ecabod.exe
1704	xoptisys.exe
1196	ecabod.exe
1704	xoptisys.exe
1196	ecabod.exe
1704	xoptisys.exe
1196	ecabod.exe
1704	xoptisys.exe
1196	ecabod.exe
1704	xoptisys.exe
1196	ecabod.exe
1704	xoptisys.exe
1196	ecabod.exe
1704	xoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 1196	624	4a0756aa51b0881347cff5e93276fa10_NeikiAnalytics.exe	28
PID 624 wrote to memory of 1196	624	4a0756aa51b0881347cff5e93276fa10_NeikiAnalytics.exe	28
PID 624 wrote to memory of 1196	624	4a0756aa51b0881347cff5e93276fa10_NeikiAnalytics.exe	28
PID 624 wrote to memory of 1196	624	4a0756aa51b0881347cff5e93276fa10_NeikiAnalytics.exe	28
PID 624 wrote to memory of 1704	624	4a0756aa51b0881347cff5e93276fa10_NeikiAnalytics.exe	29
PID 624 wrote to memory of 1704	624	4a0756aa51b0881347cff5e93276fa10_NeikiAnalytics.exe	29
PID 624 wrote to memory of 1704	624	4a0756aa51b0881347cff5e93276fa10_NeikiAnalytics.exe	29
PID 624 wrote to memory of 1704	624	4a0756aa51b0881347cff5e93276fa10_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\4a0756aa51b0881347cff5e93276fa10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4a0756aa51b0881347cff5e93276fa10_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:624
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1196
- C:\UserDotDT\xoptisys.exe
  C:\UserDotDT\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBQQ\dobaloc.exe

Filesize
2.3MB

MD5
622bfd86990978bb683360a173c4f0ef

SHA1
72e6b2ecbfa817b1df5b9a4554e133219ba2eda4

SHA256
3a0cf487bfcf6412d6c62afb21b1c9d193af3fcaf93811a96e9b2f0d86aa91d5

SHA512
6071ce13a8dd29bbbf4f303d6bd3d458b50b755ec9d3e7764be47d16f1028507a9dbad0b53f59c555797c8d113550d9885064a1bf4f527fabdbf50e14c385c81

Download Submit
C:\KaVBQQ\dobaloc.exe

Filesize
3.0MB

MD5
fc6dc22120e6a9962bc71bdbdda73eed

SHA1
fe537e658ffda02daa9846def56be3cc520f9857

SHA256
8aa5f412cd8f902dfede3e755d769d1f7d28d09351f113ea23c9de4b4f4a385d

SHA512
2ba0795172187f96bbec867753afb7961187c06cdac2dbf5825caef5093ba64c26dcb11c2ed1a4e044edf02f516b8c4370d588d17eb01545bb8557996eac01bf

Download Submit
C:\UserDotDT\xoptisys.exe

Filesize
3.0MB

MD5
75c0284daf199ff3ff99130e279fc467

SHA1
4e5b68b7ad9e285cdf93ebe3df0ddafcf1cddb53

SHA256
abc3f3ae08418d175b4c517a7df17228b2518906235df941bac5bf05079730fc

SHA512
1ae4999f9ef4bd08c78ad70a2ccf543b66b61e5f7037f901b9757af4270465e48a87e05211bf4d4b2fedc9c63867c674049d31a3a316dd714ac95e29214db097

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
8456938cb093d7e56432b74f52f521dd

SHA1
b4b67221aef0fb08c5ac81545906f51e04533589

SHA256
62357e25ce63ea78a9fe47362235c9f028c4483b029d6a11c79624f2de40e8bf

SHA512
8b7ecec1ff7e67e5c5ce79f2fd7766ccd3798676a130fd2355073b55839b0750239dcf83aecbe6909ef5181103c4576f91c97630acc235c0a6d7983f9e7fc311

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
0ab0138860c11670e5a3bd4b88994884

SHA1
53135aa390cc029671df6b32c4983c409e392527

SHA256
395d295c584948fca23b6b786dc2da28cc7ed7df90553d12ef8fcd3f66fa91bb

SHA512
c0021d6ccfa7a26317b322c4ee78a5a80e895573c053299c32f8fc75da68bd952c81b6abb5487d16caa18bc384e4d12a7a1abe17f4994fa49f7fbf7aa3f2a304

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

Filesize
3.0MB

MD5
cc5f2b1fdc780c289209b00e330728c1

SHA1
1b44e674e7d8029e2082c598fc83eb38ec3c1552

SHA256
d70268a843f2454a4a260ce9328eab3329b107bcf86f130ac440fcde0c9c5bdb

SHA512
e3ec9185f6885e687ad672807160d1b297791300062fa17ba2f3adbbc639e067d2657aa1f41da3a784ffe69a0f405e7c48e9069591956f109d2e7f462d7aec27

Download Submit