d8b45ff0d18557e1ed88938a5aadf75174111fb6b4b533c4d2b3f61de48e601a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2024 00:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ba34eaf22bb602f9feafe547e8dbce0_NeikiAnalytics.exe
Size

3.0MB
MD5

7ba34eaf22bb602f9feafe547e8dbce0
SHA1

cd2a1f550aaf0756a571d553c3a801ee25680fae
SHA256

d8b45ff0d18557e1ed88938a5aadf75174111fb6b4b533c4d2b3f61de48e601a
SHA512

36d14a773fee290a9232c6acc8739c1e44951d3b7e3108df457d497baf112571e3e1067dff1e372d1d6a7fc53e56b0d4a11fa4ffd892712a6f547a86db8fc83a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bSqz8b6LNX:sxX7QnxrloE5dpUpxbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	7ba34eaf22bb602f9feafe547e8dbce0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1284	ecdevdob.exe
2768	aoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeDP\\aoptiec.exe"	7ba34eaf22bb602f9feafe547e8dbce0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidVQ\\bodaloc.exe"	7ba34eaf22bb602f9feafe547e8dbce0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2184	7ba34eaf22bb602f9feafe547e8dbce0_NeikiAnalytics.exe
2184	7ba34eaf22bb602f9feafe547e8dbce0_NeikiAnalytics.exe
2184	7ba34eaf22bb602f9feafe547e8dbce0_NeikiAnalytics.exe
2184	7ba34eaf22bb602f9feafe547e8dbce0_NeikiAnalytics.exe
1284	ecdevdob.exe
1284	ecdevdob.exe
2768	aoptiec.exe
2768	aoptiec.exe
1284	ecdevdob.exe
1284	ecdevdob.exe
2768	aoptiec.exe
2768	aoptiec.exe
1284	ecdevdob.exe
1284	ecdevdob.exe
2768	aoptiec.exe
2768	aoptiec.exe
1284	ecdevdob.exe
1284	ecdevdob.exe
2768	aoptiec.exe
2768	aoptiec.exe
1284	ecdevdob.exe
1284	ecdevdob.exe
2768	aoptiec.exe
2768	aoptiec.exe
1284	ecdevdob.exe
1284	ecdevdob.exe
2768	aoptiec.exe
2768	aoptiec.exe
1284	ecdevdob.exe
1284	ecdevdob.exe
2768	aoptiec.exe
2768	aoptiec.exe
1284	ecdevdob.exe
1284	ecdevdob.exe
2768	aoptiec.exe
2768	aoptiec.exe
1284	ecdevdob.exe
1284	ecdevdob.exe
2768	aoptiec.exe
2768	aoptiec.exe
1284	ecdevdob.exe
1284	ecdevdob.exe
2768	aoptiec.exe
2768	aoptiec.exe
1284	ecdevdob.exe
1284	ecdevdob.exe
2768	aoptiec.exe
2768	aoptiec.exe
1284	ecdevdob.exe
1284	ecdevdob.exe
2768	aoptiec.exe
2768	aoptiec.exe
1284	ecdevdob.exe
1284	ecdevdob.exe
2768	aoptiec.exe
2768	aoptiec.exe
1284	ecdevdob.exe
1284	ecdevdob.exe
2768	aoptiec.exe
2768	aoptiec.exe
1284	ecdevdob.exe
1284	ecdevdob.exe
2768	aoptiec.exe
2768	aoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 1284	2184	7ba34eaf22bb602f9feafe547e8dbce0_NeikiAnalytics.exe	91
PID 2184 wrote to memory of 1284	2184	7ba34eaf22bb602f9feafe547e8dbce0_NeikiAnalytics.exe	91
PID 2184 wrote to memory of 1284	2184	7ba34eaf22bb602f9feafe547e8dbce0_NeikiAnalytics.exe	91
PID 2184 wrote to memory of 2768	2184	7ba34eaf22bb602f9feafe547e8dbce0_NeikiAnalytics.exe	92
PID 2184 wrote to memory of 2768	2184	7ba34eaf22bb602f9feafe547e8dbce0_NeikiAnalytics.exe	92
PID 2184 wrote to memory of 2768	2184	7ba34eaf22bb602f9feafe547e8dbce0_NeikiAnalytics.exe	92

C:\Users\Admin\AppData\Local\Temp\7ba34eaf22bb602f9feafe547e8dbce0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7ba34eaf22bb602f9feafe547e8dbce0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1284
- C:\AdobeDP\aoptiec.exe
  C:\AdobeDP\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeDP\aoptiec.exe

Filesize
3.0MB

MD5
7e1515d04f4342ed38c9f2d07a36baec

SHA1
fe885c62981132a1b77abf6a41e291649dad95ed

SHA256
2f894b9a71d1dcdcbb3a19f406ecd1068258bdfd0c29185abac25ce1774bdc13

SHA512
28d40996505e98c84631f1c2fdc4459fecadecb0d85afabeb05b84c0c9319208b159b03535f5aab04cadc12aa5feb5640f616db0bac837f7db038389c51682ae

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
5c60d4073c197d9943f7880530c4052d

SHA1
192f290f0b6cd6df89fd6ed29c837c6716e5228f

SHA256
5250840f0e684f6cf964bdc1c5b980bb2c58b8098af16ba6c3dfbd876589112f

SHA512
72afa31c5429580ec9b6e3ed5c7aaf44085ffa8aa037de6bf1968d6511b38f8efe8eba1d5202ee8b671be9b23442164cd645e0bf3b5bcf5b0b5908478395c1e3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
aeb6da74e7b2549d739ea7751fd1fce8

SHA1
9ca8d45f2ab52aa4c3524db90fe409cc71503e1d

SHA256
8a91761e42c8accad3e09a277b64d6ca1a8a742989f875223d00ff5bbf937594

SHA512
20453c8f08508e173fb3fc00265e2565b0057ca8bd39caff23c62435fa587bc3410aca6eca7e0caa88f1da1905a36f0d75bc065a05f076d90e8c95b34822bf70

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
3.0MB

MD5
fae0e31b7a157bc9a78243d153acf1d9

SHA1
0929f17e98787c038940104a2578cf69c1523f5d

SHA256
570975a8a82926924b454542e57564b9f5075eb67d31fd43c0623d442c342b1a

SHA512
b9bd1e119b9bc68dbc241229d8b89424c081ce7155e8b99f05a2b525a15c650af2637446593b03a59a926aa97d16e47e9e87a8991205fc17ba6bd929a766f2ae

Download Submit
C:\VidVQ\bodaloc.exe

Filesize
3.0MB

MD5
c9c94a0c4b966c4eb247bc030905557a

SHA1
e6deda2c06a24d486f4a439ee7ec657fac255aee

SHA256
a544052eda4eebc3a220b71ebf2ec49c71aadc9247564f60ad3a638fe5c7d10c

SHA512
3a87edff1a9d1a9adf4069c4c8588e6512ec75b93500b020d4e7592818fd7f1f22e3b3ff47a62dbc43afc8a25cb3828426eef66913c1df202a79a8cac389c0c9

Download Submit
C:\VidVQ\bodaloc.exe

Filesize
3.0MB

MD5
e89bc73a3df26994fd9cc125656e4c56

SHA1
46cbc8acf602b26343ce2f74abaf648511a9b501

SHA256
f088aa4a46bd76ea3b1941499c24b1997ac4e1871e92dff3584fcef06bc51c10

SHA512
cd408160f33ca05e07cf5161a6bf4fba2def92ff201680f45a1e42de0abe85fe8783ca2f075224f442d50bfa57e9c013cd6ee8eef2cbaba4beb3aa1c52a689ae

Download Submit