6d0b683695df3831aa8753ccafaa80243794ed10cf5ecae53f423066338e091d

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
05/06/2024, 00:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe
Size

3.1MB
MD5

1b000262b7ec3ccab0b3f80f90a31930
SHA1

ed26d834a1a84a5fe0af223a3e89fd80e03b1a46
SHA256

6d0b683695df3831aa8753ccafaa80243794ed10cf5ecae53f423066338e091d
SHA512

9d019b96883bceb88dff961040626c7eb28f74b17dabad4bed841c732087d5bbe0225ea309b341160b83059eebd19e2424cca4864a720852fb24166af6e37cf6
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBXB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpobVz8eLFc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2284	ecxdob.exe
2616	devoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1608	1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe
1608	1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv22\\devoptiloc.exe"	1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBHD\\bodasys.exe"	1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1608	1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe
1608	1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe
2284	ecxdob.exe
2616	devoptiloc.exe
2284	ecxdob.exe
2616	devoptiloc.exe
2284	ecxdob.exe
2616	devoptiloc.exe
2284	ecxdob.exe
2616	devoptiloc.exe
2284	ecxdob.exe
2616	devoptiloc.exe
2284	ecxdob.exe
2616	devoptiloc.exe
2284	ecxdob.exe
2616	devoptiloc.exe
2284	ecxdob.exe
2616	devoptiloc.exe
2284	ecxdob.exe
2616	devoptiloc.exe
2284	ecxdob.exe
2616	devoptiloc.exe
2284	ecxdob.exe
2616	devoptiloc.exe
2284	ecxdob.exe
2616	devoptiloc.exe
2284	ecxdob.exe
2616	devoptiloc.exe
2284	ecxdob.exe
2616	devoptiloc.exe
2284	ecxdob.exe
2616	devoptiloc.exe
2284	ecxdob.exe
2616	devoptiloc.exe
2284	ecxdob.exe
2616	devoptiloc.exe
2284	ecxdob.exe
2616	devoptiloc.exe
2284	ecxdob.exe
2616	devoptiloc.exe
2284	ecxdob.exe
2616	devoptiloc.exe
2284	ecxdob.exe
2616	devoptiloc.exe
2284	ecxdob.exe
2616	devoptiloc.exe
2284	ecxdob.exe
2616	devoptiloc.exe
2284	ecxdob.exe
2616	devoptiloc.exe
2284	ecxdob.exe
2616	devoptiloc.exe
2284	ecxdob.exe
2616	devoptiloc.exe
2284	ecxdob.exe
2616	devoptiloc.exe
2284	ecxdob.exe
2616	devoptiloc.exe
2284	ecxdob.exe
2616	devoptiloc.exe
2284	ecxdob.exe
2616	devoptiloc.exe
2284	ecxdob.exe
2616	devoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 2284	1608	1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe	28
PID 1608 wrote to memory of 2284	1608	1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe	28
PID 1608 wrote to memory of 2284	1608	1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe	28
PID 1608 wrote to memory of 2284	1608	1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe	28
PID 1608 wrote to memory of 2616	1608	1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe	29
PID 1608 wrote to memory of 2616	1608	1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe	29
PID 1608 wrote to memory of 2616	1608	1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe	29
PID 1608 wrote to memory of 2616	1608	1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2284
- C:\SysDrv22\devoptiloc.exe
  C:\SysDrv22\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBHD\bodasys.exe

Filesize
3.1MB

MD5
1aa7add3a8a228e32f0ce72216bbbd56

SHA1
26c7fb9f7cec43f5442d4b0651b98e0d631afdf7

SHA256
023f78fa5a6f1b75b52aa5d62b1fa6380888291cb30ae168d7a8890ca9bd8114

SHA512
5827ad8ba9273cceeb87da55c657248c235606d89659c4fa94f04582e13270c9a6afb4e5b898334fc4c9d3078c500f66edecfb42f051aaf05f490df2fb929406

Download Submit
C:\KaVBHD\bodasys.exe

Filesize
3.1MB

MD5
6e294583dc082d47edab62ee4f7153fb

SHA1
e1a4333fe0252a6d57d05a7712352d40c8be2e64

SHA256
c25a670c06525d70facf5d46c4003b1ac736a4886820c70f860fd47dfce44465

SHA512
728ae7c52cd581b9874560fd7e10ac69f8a6844afb1fee03d9fc3b1674a6dec7d3553313c38cc56dbc163a177919087f82cbdc7f58888ede71a8d412958d42a1

Download Submit
C:\SysDrv22\devoptiloc.exe

Filesize
3.1MB

MD5
0ddb5529dfcdd9267b611cfe202035e5

SHA1
a92f54b1aec5a960f7de14e4108f2b7de59b8163

SHA256
eb33614eb015294b57f8c86354ecc6bd4f4b35cc7dbf616b0749f273d4cb9f15

SHA512
e1a7c2ed34e1bb0ebade6622bd2632e9cba24139e5216d9a897045f32309a4b95bb310c7c3b8cfbd8b964c8d417089c40f77ebc1711058c997c88f384189671c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
7ff041c4b355f72dd888d9f799dabf60

SHA1
073151f2440f4bfe90cc4c7504c554673333bebe

SHA256
95892c0f94aab1bfea2c8913689cfef4ecb53ea3c2d5c8f7be265cec9e816fae

SHA512
4c1ae6b470bddebd9b5ffc43507c00987b3b480e3bcc4dc554b555846e405c92cae758b39af9bc1f9ff36db827cf559f6b625e5be2b0ba7f06c45325deac12d2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
d41727cf6c99947fe0411f2042dccafb

SHA1
e5395fb429fe9ef67db639703b6f3b301af4c3ec

SHA256
efc08c9c674cf28434595ba2b1dc54971ecf3904f2f71ee21630bf08c3682149

SHA512
110e9ccbc77d37a7c29419e1a820a33d92802e5df10acfbac9fba4e8f89e80cc997f09259406a49c909c7c606c0257e485e7fe045a9158669fd6eb8d7947ad4a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
3.1MB

MD5
1083d3d4e417ca0aa85199668f43fae2

SHA1
9392c33127726776c89d31f7c5b97efa8d157bbc

SHA256
a0c30091a957a0ba94743783c8c7cf5383022ff85ebcb7f716d0f8a51519f44b

SHA512
81219ca2852311945db7dca3cdbae03a2007e076ee6859cfcea0ce407fd80a5de137297b246c2db3f30b9e0fb8745d7a203c9d56c5e7c53a38e2a3322b16a308

Download Submit