b7960cc7d8d05087fa6f56b0b1057ceea00a855d4cdd2c6171721d7f885773a5

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04/06/2024, 20:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

01931202deb4d6eaaa8fe9ada88d0500_NeikiAnalytics.exe
Size

3.2MB
MD5

01931202deb4d6eaaa8fe9ada88d0500
SHA1

f728722386245783bf433d71bfe02c6ddd2dca61
SHA256

b7960cc7d8d05087fa6f56b0b1057ceea00a855d4cdd2c6171721d7f885773a5
SHA512

c707420a525f535378f86f20c0d9089183c99da009ace83671389b370cbee69225afbec7061eae7ea7bac95f2775c6cfff2dd90719a9f60922ee67ca57b9676b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBBB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpKbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	01931202deb4d6eaaa8fe9ada88d0500_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1196	ecxopti.exe
1704	xbodec.exe

Loads dropped DLL 2 IoCs

pid	Process
1420	01931202deb4d6eaaa8fe9ada88d0500_NeikiAnalytics.exe
1420	01931202deb4d6eaaa8fe9ada88d0500_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot2G\\xbodec.exe"	01931202deb4d6eaaa8fe9ada88d0500_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBM3\\boddevec.exe"	01931202deb4d6eaaa8fe9ada88d0500_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1420	01931202deb4d6eaaa8fe9ada88d0500_NeikiAnalytics.exe
1420	01931202deb4d6eaaa8fe9ada88d0500_NeikiAnalytics.exe
1196	ecxopti.exe
1704	xbodec.exe
1196	ecxopti.exe
1704	xbodec.exe
1196	ecxopti.exe
1704	xbodec.exe
1196	ecxopti.exe
1704	xbodec.exe
1196	ecxopti.exe
1704	xbodec.exe
1196	ecxopti.exe
1704	xbodec.exe
1196	ecxopti.exe
1704	xbodec.exe
1196	ecxopti.exe
1704	xbodec.exe
1196	ecxopti.exe
1704	xbodec.exe
1196	ecxopti.exe
1704	xbodec.exe
1196	ecxopti.exe
1704	xbodec.exe
1196	ecxopti.exe
1704	xbodec.exe
1196	ecxopti.exe
1704	xbodec.exe
1196	ecxopti.exe
1704	xbodec.exe
1196	ecxopti.exe
1704	xbodec.exe
1196	ecxopti.exe
1704	xbodec.exe
1196	ecxopti.exe
1704	xbodec.exe
1196	ecxopti.exe
1704	xbodec.exe
1196	ecxopti.exe
1704	xbodec.exe
1196	ecxopti.exe
1704	xbodec.exe
1196	ecxopti.exe
1704	xbodec.exe
1196	ecxopti.exe
1704	xbodec.exe
1196	ecxopti.exe
1704	xbodec.exe
1196	ecxopti.exe
1704	xbodec.exe
1196	ecxopti.exe
1704	xbodec.exe
1196	ecxopti.exe
1704	xbodec.exe
1196	ecxopti.exe
1704	xbodec.exe
1196	ecxopti.exe
1704	xbodec.exe
1196	ecxopti.exe
1704	xbodec.exe
1196	ecxopti.exe
1704	xbodec.exe
1196	ecxopti.exe
1704	xbodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 1196	1420	01931202deb4d6eaaa8fe9ada88d0500_NeikiAnalytics.exe	28
PID 1420 wrote to memory of 1196	1420	01931202deb4d6eaaa8fe9ada88d0500_NeikiAnalytics.exe	28
PID 1420 wrote to memory of 1196	1420	01931202deb4d6eaaa8fe9ada88d0500_NeikiAnalytics.exe	28
PID 1420 wrote to memory of 1196	1420	01931202deb4d6eaaa8fe9ada88d0500_NeikiAnalytics.exe	28
PID 1420 wrote to memory of 1704	1420	01931202deb4d6eaaa8fe9ada88d0500_NeikiAnalytics.exe	29
PID 1420 wrote to memory of 1704	1420	01931202deb4d6eaaa8fe9ada88d0500_NeikiAnalytics.exe	29
PID 1420 wrote to memory of 1704	1420	01931202deb4d6eaaa8fe9ada88d0500_NeikiAnalytics.exe	29
PID 1420 wrote to memory of 1704	1420	01931202deb4d6eaaa8fe9ada88d0500_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\01931202deb4d6eaaa8fe9ada88d0500_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\01931202deb4d6eaaa8fe9ada88d0500_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1196
- C:\UserDot2G\xbodec.exe
  C:\UserDot2G\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBM3\boddevec.exe

Filesize
3.2MB

MD5
50d95ca9e4c9032b6861486c9872f120

SHA1
045d6404d16e16a73a8139c533d5030fc5fcb349

SHA256
2a446cc4d844c7bf1d730d6f362fd3b3566df4f65940a8499c24e29898501c12

SHA512
97672b113c62b683ed8166b63b077861dc538661626a89517edba36d80371a2df8d96ad7b3a47d37ce4a50614f0e4b8df4c00c4fb41c131f80b13862573e4fe7

Download Submit
C:\UserDot2G\xbodec.exe

Filesize
3.2MB

MD5
731b8a72746fbbd2b61a790f39a4d993

SHA1
b1c802c90ce4d1ed5baa42a730faea7789158d8f

SHA256
f12530eb6196d5af17079aac0e07cc113339d5be9833a9ad6d7c126e98fc292f

SHA512
d98eaf663988bf49ff2e02c62bf51b6c3748a44bfdbb160dbf6c88c98b6a696b8b8fd75c341095750cce1e79c26754840ef79215ad8830190d2075a6db2c271c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
a7c2402ed1b597425388683bfb9381fe

SHA1
afa7a70acab1f372549077db6854b192b64f5894

SHA256
57361ba6a9535b27d7ab9f9c01364d0f76ab5f6c34978a1734e741fe709d94f5

SHA512
0a4f05d3bd553fd97130d420e2bdfbdb2ad624c8876ef2249f0ac394b567da506f49baf7e0256bdd71822e5a4a12eaff49009e0e446aaf3d262c920876c2fe32

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
1724f80a066d4c7a96d8818706374258

SHA1
e492d25e07ff7e7201d88dda503af857a2ebef6c

SHA256
52744ef5fb19c2dca8a5ff662320eb6cdc6e0e5c9b4d041e94493e4ac5d791c6

SHA512
3b7f55894bd5c4195d0d71a2ea2bddf3e618f56d0f79492e6c80217cdfb3833d53f10722c59eaa142088bea3f1018a7b96514a1acf03ca9ccda4fe775064a75c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
3.2MB

MD5
5aaa291a288cc5b77e7c807b120de7fa

SHA1
7de5e27a06a4934d5ecba68ab67a095919326b2e

SHA256
e4c9187ed2c4bba0be6e9edb7b42a36935a63e0cd1bdf7065ea47e186186bc2e

SHA512
9527544a58bbb2dfd85a0fe1df285d262f80bdb6b27e84644bcabab21b656dc77441cd153b917528b8143a13ad4d2645b0f13c78dd500f11a125381322446ea2

Download Submit