969373777f286ef1e1b4b272458125017ee07b8c794c3155f4a564f358a85ef9

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
14/06/2024, 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95779512cc92396444ef9f73d1992460_NeikiAnalytics.exe
Size

2.6MB
MD5

95779512cc92396444ef9f73d1992460
SHA1

81f230bbdd877ab81aa1e874cd4d513d5e5bab95
SHA256

969373777f286ef1e1b4b272458125017ee07b8c794c3155f4a564f358a85ef9
SHA512

504176831ef0e09b7d2122be3104352fba1b1a67ccef356e0283f3bfc37fa865545685618a39313b8ef31c92ea93766c26a75ea5f147b21111b9b818987fe1e5
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bS:sxX7QnxrloE5dpUp/b

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe	95779512cc92396444ef9f73d1992460_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2176	ecxbod.exe
2652	aoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
1944	95779512cc92396444ef9f73d1992460_NeikiAnalytics.exe
1944	95779512cc92396444ef9f73d1992460_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot4X\\aoptisys.exe"	95779512cc92396444ef9f73d1992460_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintI2\\dobdevloc.exe"	95779512cc92396444ef9f73d1992460_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1944	95779512cc92396444ef9f73d1992460_NeikiAnalytics.exe
1944	95779512cc92396444ef9f73d1992460_NeikiAnalytics.exe
2176	ecxbod.exe
2652	aoptisys.exe
2176	ecxbod.exe
2652	aoptisys.exe
2176	ecxbod.exe
2652	aoptisys.exe
2176	ecxbod.exe
2652	aoptisys.exe
2176	ecxbod.exe
2652	aoptisys.exe
2176	ecxbod.exe
2652	aoptisys.exe
2176	ecxbod.exe
2652	aoptisys.exe
2176	ecxbod.exe
2652	aoptisys.exe
2176	ecxbod.exe
2652	aoptisys.exe
2176	ecxbod.exe
2652	aoptisys.exe
2176	ecxbod.exe
2652	aoptisys.exe
2176	ecxbod.exe
2652	aoptisys.exe
2176	ecxbod.exe
2652	aoptisys.exe
2176	ecxbod.exe
2652	aoptisys.exe
2176	ecxbod.exe
2652	aoptisys.exe
2176	ecxbod.exe
2652	aoptisys.exe
2176	ecxbod.exe
2652	aoptisys.exe
2176	ecxbod.exe
2652	aoptisys.exe
2176	ecxbod.exe
2652	aoptisys.exe
2176	ecxbod.exe
2652	aoptisys.exe
2176	ecxbod.exe
2652	aoptisys.exe
2176	ecxbod.exe
2652	aoptisys.exe
2176	ecxbod.exe
2652	aoptisys.exe
2176	ecxbod.exe
2652	aoptisys.exe
2176	ecxbod.exe
2652	aoptisys.exe
2176	ecxbod.exe
2652	aoptisys.exe
2176	ecxbod.exe
2652	aoptisys.exe
2176	ecxbod.exe
2652	aoptisys.exe
2176	ecxbod.exe
2652	aoptisys.exe
2176	ecxbod.exe
2652	aoptisys.exe
2176	ecxbod.exe
2652	aoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 2176	1944	95779512cc92396444ef9f73d1992460_NeikiAnalytics.exe	28
PID 1944 wrote to memory of 2176	1944	95779512cc92396444ef9f73d1992460_NeikiAnalytics.exe	28
PID 1944 wrote to memory of 2176	1944	95779512cc92396444ef9f73d1992460_NeikiAnalytics.exe	28
PID 1944 wrote to memory of 2176	1944	95779512cc92396444ef9f73d1992460_NeikiAnalytics.exe	28
PID 1944 wrote to memory of 2652	1944	95779512cc92396444ef9f73d1992460_NeikiAnalytics.exe	29
PID 1944 wrote to memory of 2652	1944	95779512cc92396444ef9f73d1992460_NeikiAnalytics.exe	29
PID 1944 wrote to memory of 2652	1944	95779512cc92396444ef9f73d1992460_NeikiAnalytics.exe	29
PID 1944 wrote to memory of 2652	1944	95779512cc92396444ef9f73d1992460_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\95779512cc92396444ef9f73d1992460_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\95779512cc92396444ef9f73d1992460_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2176
- C:\UserDot4X\aoptisys.exe
  C:\UserDot4X\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintI2\dobdevloc.exe

Filesize
1.6MB

MD5
362d3d666db4b6b6952d930fb8e7acb5

SHA1
96c34300c54835e527d69eb7c212bc612802f726

SHA256
724106ee6805240ff5b25cb531f42c2b84c43d9cdc332708fa7060f41dde24d4

SHA512
f3f4ec298f01f6921f27e510a6867ef69f32ea861d56e154235d57d70068aac77ffd757a3e789d84258c7c1a92545ffccee09ce2e0de2c750ed9bd8c78703c8d

Download Submit
C:\MintI2\dobdevloc.exe

Filesize
2.6MB

MD5
289dcb3b0b2d89367c545f3ccdd026e4

SHA1
a449b39881cb4779df17c33ec3aa1e9e4fde59c9

SHA256
38328eb2ec713bdcb9895e948e30755928180610f23fbf8cc65107e023e1251f

SHA512
754beea73fabd6a9beb54d88b423e19eebfa65bc6c28f0843976504f22e18772f2c0f531f882605f272573bb30e05696329b440cf193a2fd220c7d011c5b67db

Download Submit
C:\UserDot4X\aoptisys.exe

Filesize
2.6MB

MD5
3dec5dfb98b6594eb3badc1b3a23c80a

SHA1
91bb5efdb489399eecca23f09e1c8b2caf373f4e

SHA256
a5dec7f7a8fe234be2a4766d9af459353982e496f9258425cff8accd9f92323e

SHA512
944eb5bccd9ace0a66ff6a0955877fb1759fe9bbc3e1f3ed3b295f8fd405c717947da98dc2b7e160fdf240c29d1efc6baf9b48817275630c85cf0a3782a2dbef

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
38b7bdd3b17b1108936c18e755ef0478

SHA1
e26301b1930de359f90332772b1b97dea549bf71

SHA256
e264cb1e4f63e8a4f44f803843072b2493bec2814c9dc57a0acaa8d8f40d3737

SHA512
c07a24c21e0ec8e7f466ce57661183fa59a059a9a518c04fcb17d5a60ee7077af0c0adcbbec87bf05e2f7d40cd922582116a3fbe673b338c3a839eccabe10b6c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
18d243c561572eb590a26f9ef8ced057

SHA1
e0d53590df44f3690133a03bc5ee5e29d4a5fae8

SHA256
6f51b30922ada35afdbcc93e957d4f8443b288d78d775ad87a8104e2318c67e5

SHA512
7704059694ff8004d1f2945a72dd788b2b5d8e0968dc5e11034e002aebf5eea0957a66a2d5ae3b9112cd93db8345a6107cc0a0945c5b8608cbb3728f94ee45b1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

Filesize
2.6MB

MD5
46e7812a0773999ab7fbd6816875d761

SHA1
74b48ab482c9d1b36e5ffbe21dea73c971f7dcfd

SHA256
5bdda2b4d00f272a10e3e5d64464733f470a02eebea4720aa52deddaf4c21907

SHA512
19b9d32494a17b3c94b4be941513c5aedad5e23700103cdfe8416b481388782767f55260bde90f48302b6dc5a2f16fd780cfb434046c7f93690ebf19a4bf51d6

Download Submit