864624286e452de23178a30d00dc57123894915ac5e38dea324a2a13a2448806

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
05-06-2024 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

502062ef99bc30d49d43738550ff62e0_NeikiAnalytics.exe
Size

2.6MB
MD5

502062ef99bc30d49d43738550ff62e0
SHA1

d34f5675c62a73522b9b07026eb64819bcfa38e2
SHA256

864624286e452de23178a30d00dc57123894915ac5e38dea324a2a13a2448806
SHA512

e55ec80223f4990081bdcee4b1aa6f380f458322f576e551aba6de8c41cd92a02db07954b5be3921d0642cdc8c3bf3cad2c7386700069220ceb10d90263db9bf
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LByB/bS:sxX7QnxrloE5dpUpxb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	502062ef99bc30d49d43738550ff62e0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2056	ecdevbod.exe
2596	xoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
1008	502062ef99bc30d49d43738550ff62e0_NeikiAnalytics.exe
1008	502062ef99bc30d49d43738550ff62e0_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocV5\\xoptiec.exe"	502062ef99bc30d49d43738550ff62e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid3F\\bodxsys.exe"	502062ef99bc30d49d43738550ff62e0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1008	502062ef99bc30d49d43738550ff62e0_NeikiAnalytics.exe
1008	502062ef99bc30d49d43738550ff62e0_NeikiAnalytics.exe
2056	ecdevbod.exe
2596	xoptiec.exe
2056	ecdevbod.exe
2596	xoptiec.exe
2056	ecdevbod.exe
2596	xoptiec.exe
2056	ecdevbod.exe
2596	xoptiec.exe
2056	ecdevbod.exe
2596	xoptiec.exe
2056	ecdevbod.exe
2596	xoptiec.exe
2056	ecdevbod.exe
2596	xoptiec.exe
2056	ecdevbod.exe
2596	xoptiec.exe
2056	ecdevbod.exe
2596	xoptiec.exe
2056	ecdevbod.exe
2596	xoptiec.exe
2056	ecdevbod.exe
2596	xoptiec.exe
2056	ecdevbod.exe
2596	xoptiec.exe
2056	ecdevbod.exe
2596	xoptiec.exe
2056	ecdevbod.exe
2596	xoptiec.exe
2056	ecdevbod.exe
2596	xoptiec.exe
2056	ecdevbod.exe
2596	xoptiec.exe
2056	ecdevbod.exe
2596	xoptiec.exe
2056	ecdevbod.exe
2596	xoptiec.exe
2056	ecdevbod.exe
2596	xoptiec.exe
2056	ecdevbod.exe
2596	xoptiec.exe
2056	ecdevbod.exe
2596	xoptiec.exe
2056	ecdevbod.exe
2596	xoptiec.exe
2056	ecdevbod.exe
2596	xoptiec.exe
2056	ecdevbod.exe
2596	xoptiec.exe
2056	ecdevbod.exe
2596	xoptiec.exe
2056	ecdevbod.exe
2596	xoptiec.exe
2056	ecdevbod.exe
2596	xoptiec.exe
2056	ecdevbod.exe
2596	xoptiec.exe
2056	ecdevbod.exe
2596	xoptiec.exe
2056	ecdevbod.exe
2596	xoptiec.exe
2056	ecdevbod.exe
2596	xoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 2056	1008	502062ef99bc30d49d43738550ff62e0_NeikiAnalytics.exe	28
PID 1008 wrote to memory of 2056	1008	502062ef99bc30d49d43738550ff62e0_NeikiAnalytics.exe	28
PID 1008 wrote to memory of 2056	1008	502062ef99bc30d49d43738550ff62e0_NeikiAnalytics.exe	28
PID 1008 wrote to memory of 2056	1008	502062ef99bc30d49d43738550ff62e0_NeikiAnalytics.exe	28
PID 1008 wrote to memory of 2596	1008	502062ef99bc30d49d43738550ff62e0_NeikiAnalytics.exe	29
PID 1008 wrote to memory of 2596	1008	502062ef99bc30d49d43738550ff62e0_NeikiAnalytics.exe	29
PID 1008 wrote to memory of 2596	1008	502062ef99bc30d49d43738550ff62e0_NeikiAnalytics.exe	29
PID 1008 wrote to memory of 2596	1008	502062ef99bc30d49d43738550ff62e0_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\502062ef99bc30d49d43738550ff62e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\502062ef99bc30d49d43738550ff62e0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2056
- C:\IntelprocV5\xoptiec.exe
  C:\IntelprocV5\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocV5\xoptiec.exe

Filesize
2.6MB

MD5
cba91cce40f63343f8d36a960ed6acb8

SHA1
76b3416aa499670599e02536f1050327a10de291

SHA256
997452cc3d7a30c41176fd731c8a5c3794d2c04c7a7ac86ae0f83edfd5f41938

SHA512
0b23b83c20d5f7e7d7b202dd3ab74f1a26096928c4cbd6e14bc9518c2e30336f75e3ee216a76a4494081b891ef19814e070dccf4ee942092b27432339475e29d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
72a2cf69b47fc8520e4566bfa49e84ec

SHA1
4e6f7aa5c4e505f0e9357eda3459aabff17840a4

SHA256
f62c09a581ac52733ff3d781390fc2ed52b4c6e49b493f388e962245be65e6a5

SHA512
f28b2a3db2d810714ed25f19681b423a9cddc85c7a4ea76d9ef1f9d6155fa81c14ffe1cb22aa1b6050c2a535722489c0c3f71e6d47b16167ad351dac94e4f425

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
35c974607559dc7de57b479d96a62268

SHA1
4ae1c9c90f56a4d0496085c168bd8605b483e650

SHA256
a791e78f2ab5d11777482fb26e2f407e54087018970444c7f9372e475b6832f1

SHA512
e219e89b94d7ccc51eba609bc362cd04b3e656e84dcf14f054476f0e727dbd9b0d704f41ab82a8eb89b7d690d6828cb63549f791890daaef346588101de95a82

Download Submit
C:\Vid3F\bodxsys.exe

Filesize
2.6MB

MD5
4e837fbc06268a8fd84cf4529824c230

SHA1
e48b302f3ddd7279627d89a42b29ce65cf8dc1fb

SHA256
8d8e2d06018a97b24f60ea2b030dc4a9b65c1726c3a53ee3724c656fa58ff960

SHA512
e6cd5b2d2268eafe4743ff72f8b1952e0e6234588685ef531fbe45d336c76f45e81a32f2db1dddcbbddf7a0208acab168480d098b5857c898af65db3717944e6

Download Submit
C:\Vid3F\bodxsys.exe

Filesize
2.6MB

MD5
027bb9bcb2d9cc924047bf5f5c2af3c9

SHA1
c97ba8e928303a33c1bfb674abefffc5bca77d6d

SHA256
3ff0cedc310d48c82e8ab6e7a2241da4ca09292051be561a9af993de765882b1

SHA512
0a1822e87353fd12ad6f30909b1fd16232dcb9571de8c88e652041772ca389722abf4282ea406921a9fc386e054795b9af5309443a25f59ffc4b7dba3dc1aa44

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
2.6MB

MD5
75ac4a19eb9f367600a9662c3e539336

SHA1
5c66265cb7eef441d11765e50ff335fc9bc984b8

SHA256
c0a07a3c97b5c4a1d3ebabb5c76507d3db204d53cad099eaf007b67b1195eef2

SHA512
b148264af562ab14a7dbe52a2b0a28700f1dc51b4baedf9b5d70a751f9f8709e0c0f054f6d4e3bbfb8335311deb37e2c3a79808f7ee2d2f774f45c365acd5399

Download Submit