24b4f6afa459cacc08eee536c212605f5f65424958944547e912a0a94eccb6b4

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
17/06/2024, 07:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6116b5c411c0ce0a30ffd470a9fbeb30_NeikiAnalytics.exe
Size

3.1MB
MD5

6116b5c411c0ce0a30ffd470a9fbeb30
SHA1

246645a6bf29e4a07c41f65aac6e2477a2c94de9
SHA256

24b4f6afa459cacc08eee536c212605f5f65424958944547e912a0a94eccb6b4
SHA512

5e36495a6d78ef06a543b44ea07305bf3c8c4e1d735ab1c4ba9e63297d3e29eb11993406561354f6b4945bde01d6150a197a7f5fc4ee38b7390b719d8588561e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBYB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpPbVz8eLFc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	6116b5c411c0ce0a30ffd470a9fbeb30_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2556	ecdevopti.exe
2664	adobec.exe

Loads dropped DLL 2 IoCs

pid	Process
1964	6116b5c411c0ce0a30ffd470a9fbeb30_NeikiAnalytics.exe
1964	6116b5c411c0ce0a30ffd470a9fbeb30_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files0L\\adobec.exe"	6116b5c411c0ce0a30ffd470a9fbeb30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintAP\\optialoc.exe"	6116b5c411c0ce0a30ffd470a9fbeb30_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1964	6116b5c411c0ce0a30ffd470a9fbeb30_NeikiAnalytics.exe
1964	6116b5c411c0ce0a30ffd470a9fbeb30_NeikiAnalytics.exe
2556	ecdevopti.exe
2664	adobec.exe
2556	ecdevopti.exe
2664	adobec.exe
2556	ecdevopti.exe
2664	adobec.exe
2556	ecdevopti.exe
2664	adobec.exe
2556	ecdevopti.exe
2664	adobec.exe
2556	ecdevopti.exe
2664	adobec.exe
2556	ecdevopti.exe
2664	adobec.exe
2556	ecdevopti.exe
2664	adobec.exe
2556	ecdevopti.exe
2664	adobec.exe
2556	ecdevopti.exe
2664	adobec.exe
2556	ecdevopti.exe
2664	adobec.exe
2556	ecdevopti.exe
2664	adobec.exe
2556	ecdevopti.exe
2664	adobec.exe
2556	ecdevopti.exe
2664	adobec.exe
2556	ecdevopti.exe
2664	adobec.exe
2556	ecdevopti.exe
2664	adobec.exe
2556	ecdevopti.exe
2664	adobec.exe
2556	ecdevopti.exe
2664	adobec.exe
2556	ecdevopti.exe
2664	adobec.exe
2556	ecdevopti.exe
2664	adobec.exe
2556	ecdevopti.exe
2664	adobec.exe
2556	ecdevopti.exe
2664	adobec.exe
2556	ecdevopti.exe
2664	adobec.exe
2556	ecdevopti.exe
2664	adobec.exe
2556	ecdevopti.exe
2664	adobec.exe
2556	ecdevopti.exe
2664	adobec.exe
2556	ecdevopti.exe
2664	adobec.exe
2556	ecdevopti.exe
2664	adobec.exe
2556	ecdevopti.exe
2664	adobec.exe
2556	ecdevopti.exe
2664	adobec.exe
2556	ecdevopti.exe
2664	adobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2556	1964	6116b5c411c0ce0a30ffd470a9fbeb30_NeikiAnalytics.exe	28
PID 1964 wrote to memory of 2556	1964	6116b5c411c0ce0a30ffd470a9fbeb30_NeikiAnalytics.exe	28
PID 1964 wrote to memory of 2556	1964	6116b5c411c0ce0a30ffd470a9fbeb30_NeikiAnalytics.exe	28
PID 1964 wrote to memory of 2556	1964	6116b5c411c0ce0a30ffd470a9fbeb30_NeikiAnalytics.exe	28
PID 1964 wrote to memory of 2664	1964	6116b5c411c0ce0a30ffd470a9fbeb30_NeikiAnalytics.exe	29
PID 1964 wrote to memory of 2664	1964	6116b5c411c0ce0a30ffd470a9fbeb30_NeikiAnalytics.exe	29
PID 1964 wrote to memory of 2664	1964	6116b5c411c0ce0a30ffd470a9fbeb30_NeikiAnalytics.exe	29
PID 1964 wrote to memory of 2664	1964	6116b5c411c0ce0a30ffd470a9fbeb30_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\6116b5c411c0ce0a30ffd470a9fbeb30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6116b5c411c0ce0a30ffd470a9fbeb30_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2556
- C:\Files0L\adobec.exe
  C:\Files0L\adobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files0L\adobec.exe

Filesize
3.1MB

MD5
e2e622a1b466d3c3c3ff63b9fbf183ad

SHA1
0591cbe9342a9ed7275de5e48cd0aa76e027d05c

SHA256
498813502b549e02bdeae2ba2b05d01843d8c26d834ad848752bea243e1a3c73

SHA512
0e78b6b353405a41d475b5b92cec71685cf4748c679737ada4371b6697fbef30bfa2438c48fabff12b78eeab37a570022171d7967b937338560c564a522718b2

Download Submit
C:\MintAP\optialoc.exe

Filesize
3.1MB

MD5
31859395493631af40a928201d2061e1

SHA1
180b621e8eefeaa05bc7dc5a3e9f5a5ccb3ca8cf

SHA256
b4ed33f403c462cdaef8271aff1fbd78ab6afb03fc17982ac9abea30a3b424c3

SHA512
58f22e1f4b20a1ad8d83dadbe4f843a0868c08dd55a46ee5238e6809405ea117ee2ad8398e3d9865f3fdcf368ac8101dafda03b0d28de966c1cfd029829ba4d1

Download Submit
C:\MintAP\optialoc.exe

Filesize
59KB

MD5
c681406f0206ff6f39faae542685ca02

SHA1
17194a6e44c30508ab4b5584051495254faf1164

SHA256
2bd598777819ffc71cfc165de225f85fa08a8fb094956522458ba030d8043d34

SHA512
5907c2cdf30e397fcdb8d015b8ec0f14f4f27225dc83a2ccd23ac9b1fbee434243c8df0ff5ab840c9b7673d64fecac4ef327aed7ff9a61e9fba7de0cc66fad9c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
da009bb18881a5829f5bbb47b7cad36f

SHA1
401ea8c22e9cecbdf61f6d1c1757404b8181424c

SHA256
87905a3ee64d40ff359703f3b0890be912fa1911ae6752d7668facf267ac0dfa

SHA512
64b8c964b11c30ef355c1c7ac2e6e452fa42eff724ed95d602c940b67c1d745491e90330d9c0204229bcd7a8ab87aa02e282e00dc6dc4270547f6e8b07ce79ba

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
55f19fc081eedd73b3fba01583fc96bc

SHA1
d7d5b1981b90dda06921a3e93968ca58f16b5d64

SHA256
0ee713fd8769fe63ee928fc9754e2efd848b6f2f872708a575192c127600ee5d

SHA512
c380427b04cd1c38ced2275b39c507e3b4cc56ef2e0b3873d1330efd19f25cef42d2b444c2b2295206d266a40eec65b602354931e7b2c807634cac0a1ca5d96f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
3.1MB

MD5
e22e9240bd202fe2d5ea3146acd6111b

SHA1
5ab43f2c430b7626e1b9072e4666a015bd089c89

SHA256
4927045ea3d8ba1ea176ebfd36eff2af11ddd0bfefba164c10969540c0a21f8b

SHA512
769958af5779338cc32548adf6c46a0366f0c3ecbd7f1adc6e5fd655e43c8206a00dffa8a61bd6017f074c3312f2588636e921a44f7eac27d8df0371844d536e

Download Submit