2911a56a090d7e681ac3b6027a9afc482ad6602497e7ca2f57a80f0489c362a6

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
10/06/2024, 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

131c4ad6139c78ca53b4675fe3e82b80_NeikiAnalytics.exe
Size

4.1MB
MD5

131c4ad6139c78ca53b4675fe3e82b80
SHA1

5f705b306ecb610e69d8de2fb1fecf2991867a2b
SHA256

2911a56a090d7e681ac3b6027a9afc482ad6602497e7ca2f57a80f0489c362a6
SHA512

0e68e0bd999417f639893da47eb4c1cfa0a0025b143c8abe912150dccebde43aa8019a4be388f2abd186434a029b0c30f9e406644b858e1dbfea6db849344001
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpMbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	131c4ad6139c78ca53b4675fe3e82b80_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1912	ecabod.exe
2332	devoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
1960	131c4ad6139c78ca53b4675fe3e82b80_NeikiAnalytics.exe
1960	131c4ad6139c78ca53b4675fe3e82b80_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe13\\devoptiec.exe"	131c4ad6139c78ca53b4675fe3e82b80_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidPL\\dobxloc.exe"	131c4ad6139c78ca53b4675fe3e82b80_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1960	131c4ad6139c78ca53b4675fe3e82b80_NeikiAnalytics.exe
1960	131c4ad6139c78ca53b4675fe3e82b80_NeikiAnalytics.exe
1912	ecabod.exe
2332	devoptiec.exe
1912	ecabod.exe
2332	devoptiec.exe
1912	ecabod.exe
2332	devoptiec.exe
1912	ecabod.exe
2332	devoptiec.exe
1912	ecabod.exe
2332	devoptiec.exe
1912	ecabod.exe
2332	devoptiec.exe
1912	ecabod.exe
2332	devoptiec.exe
1912	ecabod.exe
2332	devoptiec.exe
1912	ecabod.exe
2332	devoptiec.exe
1912	ecabod.exe
2332	devoptiec.exe
1912	ecabod.exe
2332	devoptiec.exe
1912	ecabod.exe
2332	devoptiec.exe
1912	ecabod.exe
2332	devoptiec.exe
1912	ecabod.exe
2332	devoptiec.exe
1912	ecabod.exe
2332	devoptiec.exe
1912	ecabod.exe
2332	devoptiec.exe
1912	ecabod.exe
2332	devoptiec.exe
1912	ecabod.exe
2332	devoptiec.exe
1912	ecabod.exe
2332	devoptiec.exe
1912	ecabod.exe
2332	devoptiec.exe
1912	ecabod.exe
2332	devoptiec.exe
1912	ecabod.exe
2332	devoptiec.exe
1912	ecabod.exe
2332	devoptiec.exe
1912	ecabod.exe
2332	devoptiec.exe
1912	ecabod.exe
2332	devoptiec.exe
1912	ecabod.exe
2332	devoptiec.exe
1912	ecabod.exe
2332	devoptiec.exe
1912	ecabod.exe
2332	devoptiec.exe
1912	ecabod.exe
2332	devoptiec.exe
1912	ecabod.exe
2332	devoptiec.exe
1912	ecabod.exe
2332	devoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1912	1960	131c4ad6139c78ca53b4675fe3e82b80_NeikiAnalytics.exe	28
PID 1960 wrote to memory of 1912	1960	131c4ad6139c78ca53b4675fe3e82b80_NeikiAnalytics.exe	28
PID 1960 wrote to memory of 1912	1960	131c4ad6139c78ca53b4675fe3e82b80_NeikiAnalytics.exe	28
PID 1960 wrote to memory of 1912	1960	131c4ad6139c78ca53b4675fe3e82b80_NeikiAnalytics.exe	28
PID 1960 wrote to memory of 2332	1960	131c4ad6139c78ca53b4675fe3e82b80_NeikiAnalytics.exe	29
PID 1960 wrote to memory of 2332	1960	131c4ad6139c78ca53b4675fe3e82b80_NeikiAnalytics.exe	29
PID 1960 wrote to memory of 2332	1960	131c4ad6139c78ca53b4675fe3e82b80_NeikiAnalytics.exe	29
PID 1960 wrote to memory of 2332	1960	131c4ad6139c78ca53b4675fe3e82b80_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\131c4ad6139c78ca53b4675fe3e82b80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\131c4ad6139c78ca53b4675fe3e82b80_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1912
- C:\Adobe13\devoptiec.exe
  C:\Adobe13\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe13\devoptiec.exe

Filesize
4.1MB

MD5
9df35b667e2aebd30b4847c768ee7145

SHA1
8bf219bc1355dee12fd215b3eb76ffa175454e6f

SHA256
b3e87d3873a9949573d399f2ba04574b6c9276c462e467cc78e1c14751bb9ffa

SHA512
ecef4074b263eee22844be86e34fda547ffb9dcc1a85a292b13354786e89512e1fbcbbf5f49715b3710c3118297dee170761f3ac8e3992bf6c4b4a625b447f83

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
9f57f03ab40874faa882383ccec5d65c

SHA1
84a28464631fdfc619920c3959574bcad9402a57

SHA256
2376d8eb823099343d8135d2e585931bd4f9638e8aa7582e9f75e5ccce787c0b

SHA512
29b97c29ebb29e93c8ed3d750df12291c7844b927a7e091d3c6727468e4f3b191f427b8ea925d5773cd65d3451413f933fbd8f8d99fc6ad8bb66bd085970a999

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
bc27b211d39ec4b19648cc9acadd894b

SHA1
97bd7b77802cbdce201c6012d9001c7e73be3a60

SHA256
dd8267111db41627e57d87f2c7600b44d89b1189951cc58b6091a182e37550f9

SHA512
b3130ea3ddd13530268543f351936a3d85d4cfdbba1371a14fdc1c83000b012ecf87d678c8b85d43a26e32fc4d091a4f767ac765cad1aa266b7c0056c594cfe7

Download Submit
C:\VidPL\dobxloc.exe

Filesize
6KB

MD5
0860ba7ab87e6dbf893e728aa4621778

SHA1
6296ec6dd59bc3b8a68b647437f788d3632c62db

SHA256
dae0dd40453db7d1814b71e7428dae76ec100c87d90429cfe275f635828912b2

SHA512
6b72d47a2829acfcf1490f689278dd8559279bed5d5c4557d0d0a5168428051f1906438558ebacac45c8aee6d3c2408cb4723e18b3d3bcc087625db5239ebaef

Download Submit
C:\VidPL\dobxloc.exe

Filesize
4.1MB

MD5
7f64f17031dacc939cf0ef3e4ec553ed

SHA1
ef039d33ca5514219509a130d3ec181e5105deae

SHA256
f287fb6017fd08bd1495f9906ba5fb1a1e901f44e005e7d03391265df4f5e7d9

SHA512
641dc2848abb5477aec6ea2ceb0ef2141110bac8e93fbd5f670588be817a240cc833b3b6467fcb02779086737a8a74853fb95f6097613a74a29ca0e5931121ad

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

Filesize
4.1MB

MD5
adea471268a7491317b2350ee5caeb30

SHA1
619a4744ff59d3da0db5a3c9ed37a2ef980cc043

SHA256
ce3abc4a282f48d21aaf0f465300cee791f55c25b311486c8283ddc17e037c9b

SHA512
ee73ec11771cf5782155f988fc8450af662e1e4925f3108a3726e3b8377e8ed7edcb6a8152d9d983d047e1d0b1fcead59a10ac5724ca1d58a3c99cb71bf4fe6a

Download Submit