6f365a9e7bc4d712cc0603b2cdea7d20bb7bbef2f49706ef2e4e67340da51fc8

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
14-06-2024 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba163b089c79b875ca4dca32d3d46ac0_NeikiAnalytics.exe
Size

3.0MB
MD5

ba163b089c79b875ca4dca32d3d46ac0
SHA1

ff6d685adb5c727f538a4142ee4d1b4099b10331
SHA256

6f365a9e7bc4d712cc0603b2cdea7d20bb7bbef2f49706ef2e4e67340da51fc8
SHA512

f69e222ff7d400e42fc90d985c9b65c21c606f6761d81653b82503205893e46ad0b0981ecc71b23106f132b4c402717d947220647b0adf77e34c935aa64ab080
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBGB/bSqz8b6LNX:sxX7QnxrloE5dpUppbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	ba163b089c79b875ca4dca32d3d46ac0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2460	ecaopti.exe
2712	xbodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2488	ba163b089c79b875ca4dca32d3d46ac0_NeikiAnalytics.exe
2488	ba163b089c79b875ca4dca32d3d46ac0_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocSP\\xbodec.exe"	ba163b089c79b875ca4dca32d3d46ac0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax4X\\boddevloc.exe"	ba163b089c79b875ca4dca32d3d46ac0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2488	ba163b089c79b875ca4dca32d3d46ac0_NeikiAnalytics.exe
2488	ba163b089c79b875ca4dca32d3d46ac0_NeikiAnalytics.exe
2460	ecaopti.exe
2712	xbodec.exe
2460	ecaopti.exe
2712	xbodec.exe
2460	ecaopti.exe
2712	xbodec.exe
2460	ecaopti.exe
2712	xbodec.exe
2460	ecaopti.exe
2712	xbodec.exe
2460	ecaopti.exe
2712	xbodec.exe
2460	ecaopti.exe
2712	xbodec.exe
2460	ecaopti.exe
2712	xbodec.exe
2460	ecaopti.exe
2712	xbodec.exe
2460	ecaopti.exe
2712	xbodec.exe
2460	ecaopti.exe
2712	xbodec.exe
2460	ecaopti.exe
2712	xbodec.exe
2460	ecaopti.exe
2712	xbodec.exe
2460	ecaopti.exe
2712	xbodec.exe
2460	ecaopti.exe
2712	xbodec.exe
2460	ecaopti.exe
2712	xbodec.exe
2460	ecaopti.exe
2712	xbodec.exe
2460	ecaopti.exe
2712	xbodec.exe
2460	ecaopti.exe
2712	xbodec.exe
2460	ecaopti.exe
2712	xbodec.exe
2460	ecaopti.exe
2712	xbodec.exe
2460	ecaopti.exe
2712	xbodec.exe
2460	ecaopti.exe
2712	xbodec.exe
2460	ecaopti.exe
2712	xbodec.exe
2460	ecaopti.exe
2712	xbodec.exe
2460	ecaopti.exe
2712	xbodec.exe
2460	ecaopti.exe
2712	xbodec.exe
2460	ecaopti.exe
2712	xbodec.exe
2460	ecaopti.exe
2712	xbodec.exe
2460	ecaopti.exe
2712	xbodec.exe
2460	ecaopti.exe
2712	xbodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2460	2488	ba163b089c79b875ca4dca32d3d46ac0_NeikiAnalytics.exe	28
PID 2488 wrote to memory of 2460	2488	ba163b089c79b875ca4dca32d3d46ac0_NeikiAnalytics.exe	28
PID 2488 wrote to memory of 2460	2488	ba163b089c79b875ca4dca32d3d46ac0_NeikiAnalytics.exe	28
PID 2488 wrote to memory of 2460	2488	ba163b089c79b875ca4dca32d3d46ac0_NeikiAnalytics.exe	28
PID 2488 wrote to memory of 2712	2488	ba163b089c79b875ca4dca32d3d46ac0_NeikiAnalytics.exe	29
PID 2488 wrote to memory of 2712	2488	ba163b089c79b875ca4dca32d3d46ac0_NeikiAnalytics.exe	29
PID 2488 wrote to memory of 2712	2488	ba163b089c79b875ca4dca32d3d46ac0_NeikiAnalytics.exe	29
PID 2488 wrote to memory of 2712	2488	ba163b089c79b875ca4dca32d3d46ac0_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\ba163b089c79b875ca4dca32d3d46ac0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ba163b089c79b875ca4dca32d3d46ac0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2460
- C:\IntelprocSP\xbodec.exe
  C:\IntelprocSP\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax4X\boddevloc.exe

Filesize
3.0MB

MD5
d20dc734d5e6ad39527f32ae33e8002a

SHA1
de9d26b58dc8e7f4502ae8d6dd9bf45114d5cb44

SHA256
0ea21894f68061ea909e488813b6be3922b1f3aa58f1172a262dba58277737b3

SHA512
56d3192c303b133e4d3f5e3a7e8dc39025d775828ae078f7f986c62f7a5e4b82807fd08b2531a71e33ed65fb1e3a52a37c33d819878adf526e31feda1f4495ce

Download Submit
C:\Galax4X\boddevloc.exe

Filesize
12KB

MD5
5ce46de9d1c8ab23eeb8a98bb0b2232e

SHA1
eb2b026ffaf5a7802065fa5971c5c4495fa6763a

SHA256
0f99b7bc2b192971b8bed8dbf4f50389b59e62d5cae4d0fbbb58657c2730a6b0

SHA512
173969eb6ea4e493f9c0d1c1df5c1080fb72fc38f0fc13e5eaffdd7eeae658b9464603a66d0a918d3f86bca65b97dccfd201cd7d66c1758e452476026a290712

Download Submit
C:\IntelprocSP\xbodec.exe

Filesize
3.0MB

MD5
e2a87c726a5534743fc94951154eb7ef

SHA1
172ea7f77465809ed44cb627b51516abbd138cc4

SHA256
f2e685034922a1237375e1327b4187cbfa3ea0f029bfaab5934a0c7f0efb6ba5

SHA512
4ffeb689a2d1d0c2fe24f8c497689f647a60cf7a1412212e471b6aa7a156e2a287784321b33a9648cdd460683bf8e0ea3a8c3d9085f4bec82d31cf9d61e41b7c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
f428d2db18630d89bb941b0685ba7daf

SHA1
07833edb380ca53f9aa6905655d3c19bf24b8442

SHA256
612d1b9667d0a662bcf450cf9cbfe70c4f15e5e24ae0953c85ccf1743e4d2487

SHA512
e8ac8b6130673db88cf7da8bcacc5f9a3fc1bc6e6a3718f5c5ead6768340c15589a6faebb2c829c06106cefa57ab1e05fc59915af0e3b64d709aff7f9d673443

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
5ecdc8874a5e30c494aa28896c23810e

SHA1
2eb6c0e5773188262a625306fcc87d0d96bb3d69

SHA256
5a8dcfbec68db8bd5737f5c8b8777c7f23c96d22f8943313b072974f0e7ad24a

SHA512
4bcb63dde31720290ec7e8f4cbc0d3e568e90296ac3bbaa658988bc063a9de35e789f395917447de45ed557a8ed7ec53a523c32c57c95a04be52ce2bc0f9561f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
3.0MB

MD5
fd87b9392912e1103c3926618d8adb26

SHA1
237278fb43f10785c47ea291ad38120422916598

SHA256
14ce13553cdb7f6d0ab8dd6ffdd3c6f960d4bf750bcaafa13c4f22be54326726

SHA512
d6f4cf00eafaa0b0cc15ccb5596213a03a8e174642f49e8528faf4aca8c6ca6ce11c37963a921f1d19c0de535b18cbc183539117d3a3a15eee355d62b96b034b

Download Submit