a90e681347d0c97cd3b88c024d24bb30e3dee0c69cb0dbb62e802c11eeab3cf7

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 23:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0e3167f94e75e91a411fc3dc3bbcaf80_NeikiAnalytics.exe
Size

3.6MB
MD5

0e3167f94e75e91a411fc3dc3bbcaf80
SHA1

5211b129642a3864a346eeff4b45220824dd01ea
SHA256

a90e681347d0c97cd3b88c024d24bb30e3dee0c69cb0dbb62e802c11eeab3cf7
SHA512

22c10f1c2d880e48db9ce88f0b53ce297af8bf495d966f102dc194f2ac88c5e57c4739c473c92acd773aa8efce4b54de0287bf282ad9a141b667882b3852ab4e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bSqz8:sxX7QnxrloE5dpUpbbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe	0e3167f94e75e91a411fc3dc3bbcaf80_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
3504	ecxbod.exe
3444	devoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesFQ\\devoptisys.exe"	0e3167f94e75e91a411fc3dc3bbcaf80_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintFE\\optiasys.exe"	0e3167f94e75e91a411fc3dc3bbcaf80_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1496	0e3167f94e75e91a411fc3dc3bbcaf80_NeikiAnalytics.exe
1496	0e3167f94e75e91a411fc3dc3bbcaf80_NeikiAnalytics.exe
1496	0e3167f94e75e91a411fc3dc3bbcaf80_NeikiAnalytics.exe
1496	0e3167f94e75e91a411fc3dc3bbcaf80_NeikiAnalytics.exe
3504	ecxbod.exe
3504	ecxbod.exe
3444	devoptisys.exe
3444	devoptisys.exe
3504	ecxbod.exe
3504	ecxbod.exe
3444	devoptisys.exe
3444	devoptisys.exe
3504	ecxbod.exe
3504	ecxbod.exe
3444	devoptisys.exe
3444	devoptisys.exe
3504	ecxbod.exe
3504	ecxbod.exe
3444	devoptisys.exe
3444	devoptisys.exe
3504	ecxbod.exe
3504	ecxbod.exe
3444	devoptisys.exe
3444	devoptisys.exe
3504	ecxbod.exe
3504	ecxbod.exe
3444	devoptisys.exe
3444	devoptisys.exe
3504	ecxbod.exe
3504	ecxbod.exe
3444	devoptisys.exe
3444	devoptisys.exe
3504	ecxbod.exe
3504	ecxbod.exe
3444	devoptisys.exe
3444	devoptisys.exe
3504	ecxbod.exe
3504	ecxbod.exe
3444	devoptisys.exe
3444	devoptisys.exe
3504	ecxbod.exe
3504	ecxbod.exe
3444	devoptisys.exe
3444	devoptisys.exe
3504	ecxbod.exe
3504	ecxbod.exe
3444	devoptisys.exe
3444	devoptisys.exe
3504	ecxbod.exe
3504	ecxbod.exe
3444	devoptisys.exe
3444	devoptisys.exe
3504	ecxbod.exe
3504	ecxbod.exe
3444	devoptisys.exe
3444	devoptisys.exe
3504	ecxbod.exe
3504	ecxbod.exe
3444	devoptisys.exe
3444	devoptisys.exe
3504	ecxbod.exe
3504	ecxbod.exe
3444	devoptisys.exe
3444	devoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 3504	1496	0e3167f94e75e91a411fc3dc3bbcaf80_NeikiAnalytics.exe	92
PID 1496 wrote to memory of 3504	1496	0e3167f94e75e91a411fc3dc3bbcaf80_NeikiAnalytics.exe	92
PID 1496 wrote to memory of 3504	1496	0e3167f94e75e91a411fc3dc3bbcaf80_NeikiAnalytics.exe	92
PID 1496 wrote to memory of 3444	1496	0e3167f94e75e91a411fc3dc3bbcaf80_NeikiAnalytics.exe	93
PID 1496 wrote to memory of 3444	1496	0e3167f94e75e91a411fc3dc3bbcaf80_NeikiAnalytics.exe	93
PID 1496 wrote to memory of 3444	1496	0e3167f94e75e91a411fc3dc3bbcaf80_NeikiAnalytics.exe	93

C:\Users\Admin\AppData\Local\Temp\0e3167f94e75e91a411fc3dc3bbcaf80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0e3167f94e75e91a411fc3dc3bbcaf80_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3504
- C:\FilesFQ\devoptisys.exe
  C:\FilesFQ\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3212,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:8
1⤵
PID:3880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesFQ\devoptisys.exe

Filesize
3.6MB

MD5
518adf64cf6f6f22e40df40b34797982

SHA1
a1682e133622d66c5b94c1e275e134036f4ed7f6

SHA256
66fb82c334b5512fff93bfe2fdf354b920c3622fbbfa719b018530f3f5d2bf94

SHA512
6aa830f9a2275232bed76e3d721e7252a7ccc055ccc13a32a05aad66095ec61d5e417fda82040629efd3bddcd5ca610790559e4a41a3063a24d5c5c4bff1e74c

Download Submit
C:\MintFE\optiasys.exe

Filesize
371KB

MD5
e81936009b71f321c4d5c80d0a0e9743

SHA1
4244b432cfa55cc2885abb02ffad5de7cbf23c3d

SHA256
75d67f77838cd43395ad0ab41c2a28117280f0a903041d06f05727251bb76cea

SHA512
f84edabc58da9b3cc6db2deec122b7530a439389d28de9ece4bc8ba51f4ebf6cd6685a80f793cfe2ad33d42381a43e5258567e74e57968f24e781b845cf5e90a

Download Submit
C:\MintFE\optiasys.exe

Filesize
3.6MB

MD5
e47d9a1db97e6eea03572256ab2fb542

SHA1
3be8cfb434d4140e2ff0a374a05c29a5f4568501

SHA256
595d857fa6c2021fd49e531898f2de6759228f9d2a22342e47df994ee3b6d953

SHA512
008dbf4c0f9275627afd9c54b82982f1af63f16b7f8bbf202d7fb65be055c907426c5cae609bba761308308d7627ef47f800ac690b1a18d100dfa3e6e43c3338

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
113d68f839cbebfea2f6809081fcab88

SHA1
dfdd3a0f2a7e59ef53ff4eeee2249071586d3f58

SHA256
2b5040efda7b79a74b7a807d1265d7dc37bf297919cdc6d447827cc246ea3ffb

SHA512
05bbcff1cf291f881d1cefd5cbb9fc41a4bae93a8ea1dff77ef61fd256fe2e01e8666e3df20529e2da4ed8ef48db3a9ba8c831a81084a063d95a76d3d9a6beb9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
70f6692fddd55b57d47f25b92f41bb6b

SHA1
552ebc2c113a1b30d4eb828c5874d5821d57612c

SHA256
cb5d7c8402fe74530ca839597db2cb4dacd369e14608009b626909b86d35860c

SHA512
89c271d4d186ffb0635e21c00be1786b9c7243a8af48286b11919db2327dfcce8700df60549a31d66ab0210c90d8e54d0909d8e727387ddd472ab2a6d8ea6189

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

Filesize
3.6MB

MD5
db551469f9b9dc15ab23406743248111

SHA1
865eb4f79ef90d37bf4ae7b4045b6d9b1ec570aa

SHA256
720d09080c5ca41c43d109dde98101e32bc7f9bf3208a26b0e88bdc2033fdf0d

SHA512
99881fe13c07a098c055543d3e4688639189e0b28010b2a9cc1bed86a5dbf17d80705ed1d0939dc466c10a559ca27ca2ffbb2c8151aef0609aad5914ce266932

Download Submit