413f2b3bcf7a0fe28af6a3e93e1987aedf1dcbfa0deb3ecd7eab63f64d01ed63

Analysis

max time kernel
149s
max time network
127s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
13/06/2024, 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe
Size

3.2MB
MD5

53fb1e59d27c4ec5b18cd522469ea850
SHA1

231336b6ec03827a24dcc69456853a6e5018e182
SHA256

413f2b3bcf7a0fe28af6a3e93e1987aedf1dcbfa0deb3ecd7eab63f64d01ed63
SHA512

51fd369c1576feab601e282cb40d284b34705451539df2f1d065f7e98e8ec9f126db07e3c45da6f83602f9a965d2cc1d32811dbf724cf0fa73de50292bccf5a3
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB9B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpKbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
3052	ecxopti.exe
2120	xdobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1916	53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe
1916	53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotA5\\xdobloc.exe"	53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidNV\\optidevloc.exe"	53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1916	53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe
1916	53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe
3052	ecxopti.exe
2120	xdobloc.exe
3052	ecxopti.exe
2120	xdobloc.exe
3052	ecxopti.exe
2120	xdobloc.exe
3052	ecxopti.exe
2120	xdobloc.exe
3052	ecxopti.exe
2120	xdobloc.exe
3052	ecxopti.exe
2120	xdobloc.exe
3052	ecxopti.exe
2120	xdobloc.exe
3052	ecxopti.exe
2120	xdobloc.exe
3052	ecxopti.exe
2120	xdobloc.exe
3052	ecxopti.exe
2120	xdobloc.exe
3052	ecxopti.exe
2120	xdobloc.exe
3052	ecxopti.exe
2120	xdobloc.exe
3052	ecxopti.exe
2120	xdobloc.exe
3052	ecxopti.exe
2120	xdobloc.exe
3052	ecxopti.exe
2120	xdobloc.exe
3052	ecxopti.exe
2120	xdobloc.exe
3052	ecxopti.exe
2120	xdobloc.exe
3052	ecxopti.exe
2120	xdobloc.exe
3052	ecxopti.exe
2120	xdobloc.exe
3052	ecxopti.exe
2120	xdobloc.exe
3052	ecxopti.exe
2120	xdobloc.exe
3052	ecxopti.exe
2120	xdobloc.exe
3052	ecxopti.exe
2120	xdobloc.exe
3052	ecxopti.exe
2120	xdobloc.exe
3052	ecxopti.exe
2120	xdobloc.exe
3052	ecxopti.exe
2120	xdobloc.exe
3052	ecxopti.exe
2120	xdobloc.exe
3052	ecxopti.exe
2120	xdobloc.exe
3052	ecxopti.exe
2120	xdobloc.exe
3052	ecxopti.exe
2120	xdobloc.exe
3052	ecxopti.exe
2120	xdobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 3052	1916	53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe	28
PID 1916 wrote to memory of 3052	1916	53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe	28
PID 1916 wrote to memory of 3052	1916	53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe	28
PID 1916 wrote to memory of 3052	1916	53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe	28
PID 1916 wrote to memory of 2120	1916	53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe	29
PID 1916 wrote to memory of 2120	1916	53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe	29
PID 1916 wrote to memory of 2120	1916	53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe	29
PID 1916 wrote to memory of 2120	1916	53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3052
- C:\UserDotA5\xdobloc.exe
  C:\UserDotA5\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotA5\xdobloc.exe

Filesize
3.2MB

MD5
44fe375ea7fa3c3add902e8536f6a7d7

SHA1
1e21ef78d4f6e2002a4d5255a6dddc75aedc0f37

SHA256
19ca244b1f0a8b88d870745aac460c406627060c924afc165de9edea7b0a074f

SHA512
d8174e945380a08c9dd299a1bb722ab60de647e7e233db0601d4541ece6ac36de5b6f465785d6d4369b7b66e350b21fd89b104fec97cae27cb31a8052047b8f4

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
34dff6caab16c0d89dd58f51469395e6

SHA1
2350aefdaae7a0180ee84f9865488027959727ae

SHA256
0fae9a57581b4af0814592baa5d0b5205c85f77790d81c3f970e26b6020d4e16

SHA512
2b090c6e8877f807562c204d9395a38b75f6ed036b43ac36dc20e222eb58ef16ac8f99e1321e8cd728b85aed0d7c222f545fc3a699ef14f6726861868d6c650f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
8aeceb9507f6b50fd65b089ba0cbdb84

SHA1
92005a94e83389992218b23335a7dc4dce0597fa

SHA256
459990d6b9de7454b9ed543dfae0f74fbbc3811ceb8549d8d7b4839db988945c

SHA512
75d8efeca431e0b8024bab26e05b337007a64087fb4bffa97adc82b8fd2ec9a4d0dc34526131da0caf443f38a7a22fddd91ed2d0f6ad97bdd828a82b1c55d62c

Download Submit
C:\VidNV\optidevloc.exe

Filesize
3.2MB

MD5
c49ed97c16653fd3571138c34bd0ddc5

SHA1
0f4c4e5a2c176de4e34b2af80e58fc538c29c510

SHA256
0888885381b502f7b4be0c0e2c644f6cd866d58961676c1234e55b27bad8c6f7

SHA512
90206b32f75ae6709e4d0c90380e6bbcbd628ad544b2e461e5a5f59b9bd34d9666d73d42306b12640929272effbbf2d7dcbaec8dbd70f1caa747c785c9df2cdf

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
3.2MB

MD5
64ebdf017d6683db8cbff28bc349f0a4

SHA1
3b3cc95740f26516480cebed81e487c5ab3a718a

SHA256
827208ffcc4773e5934f7903a3e413ff07400f09df5e8b12e630b9b6d1cc1509

SHA512
a9d872762d520fb7efa35022c26d42d01519080b6777b23aa7be68e24ebf0da3dd9fe75daf19a36166bffdba6c156c8891a2a17d3e814586c576c7556ec8ebaf

Download Submit