00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 14:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731_NeikiAnalytics.exe
Size

3.6MB
MD5

77b682fc37c278fe276f3cb115885450
SHA1

d126625df474a97373a9491b77be7f8403c0eea8
SHA256

00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731
SHA512

9270f222a9695db18aa3d1ffe08a0fe9957f9bb08105ec6cb910917e626956ef2291cc0d8077d2cd30ac0bb64a344f78a2050ce800af0ebce052210e43eb045b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bSqz8:sxX7QnxrloE5dpUpubVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
388	ecaopti.exe
4980	adobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidYJ\\bodaec.exe"	00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocAP\\adobsys.exe"	00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
956	00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731_NeikiAnalytics.exe
956	00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731_NeikiAnalytics.exe
956	00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731_NeikiAnalytics.exe
956	00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731_NeikiAnalytics.exe
388	ecaopti.exe
388	ecaopti.exe
4980	adobsys.exe
4980	adobsys.exe
388	ecaopti.exe
388	ecaopti.exe
4980	adobsys.exe
4980	adobsys.exe
388	ecaopti.exe
388	ecaopti.exe
4980	adobsys.exe
4980	adobsys.exe
388	ecaopti.exe
388	ecaopti.exe
4980	adobsys.exe
4980	adobsys.exe
388	ecaopti.exe
388	ecaopti.exe
4980	adobsys.exe
4980	adobsys.exe
388	ecaopti.exe
388	ecaopti.exe
4980	adobsys.exe
4980	adobsys.exe
388	ecaopti.exe
388	ecaopti.exe
4980	adobsys.exe
4980	adobsys.exe
388	ecaopti.exe
388	ecaopti.exe
4980	adobsys.exe
4980	adobsys.exe
388	ecaopti.exe
388	ecaopti.exe
4980	adobsys.exe
4980	adobsys.exe
388	ecaopti.exe
388	ecaopti.exe
4980	adobsys.exe
4980	adobsys.exe
388	ecaopti.exe
388	ecaopti.exe
4980	adobsys.exe
4980	adobsys.exe
388	ecaopti.exe
388	ecaopti.exe
4980	adobsys.exe
4980	adobsys.exe
388	ecaopti.exe
388	ecaopti.exe
4980	adobsys.exe
4980	adobsys.exe
388	ecaopti.exe
388	ecaopti.exe
4980	adobsys.exe
4980	adobsys.exe
388	ecaopti.exe
388	ecaopti.exe
4980	adobsys.exe
4980	adobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 388	956	00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731_NeikiAnalytics.exe	86
PID 956 wrote to memory of 388	956	00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731_NeikiAnalytics.exe	86
PID 956 wrote to memory of 388	956	00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731_NeikiAnalytics.exe	86
PID 956 wrote to memory of 4980	956	00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731_NeikiAnalytics.exe	88
PID 956 wrote to memory of 4980	956	00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731_NeikiAnalytics.exe	88
PID 956 wrote to memory of 4980	956	00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\00a4f8a0ea809d353c3f9eb7de941e3dfa92c6670b2ffa168674f4e37aa5a731_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:956
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:388
- C:\IntelprocAP\adobsys.exe
  C:\IntelprocAP\adobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocAP\adobsys.exe

Filesize
3.6MB

MD5
7a7dea16cb5fe7679072369135f1e9fa

SHA1
4aca5e8fe351fcaf8d93835a9ecc84bfd519eaac

SHA256
0313d667ee9f2adeff32c0234a935d690571090e1c26812c1529e961b735a19b

SHA512
997558fc7c6cc34746809c8779ec778cb1a089c7e8f65bb2c78bc94299e6eb95b4e9538a374254350aa5aea75d99998208a0dacae6ea28be0d21b31db70125b0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
5533f5b9904e1b8b346fa9450d2f9748

SHA1
12b154f7134e44802ac5d00e54b0f34b7940105e

SHA256
19ca9950e4893e05cbbb4ae7f97b4c897b920c60509a61f390833daf86efe4b5

SHA512
22ef6b6f073e5c32c59be33fe7bc38c7a25edd09594b20ecec0f2c52e661056010431331bed470fffacaf502151fe16886a665b14363d4a0db2557da26582e6b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
1d38a67e538a47ab01a1049f3264b608

SHA1
0807366b547538c1ac8a8ea7f875107c126b6fb9

SHA256
c196bdf49f6b4cf9b5a467cfda139c707c5fc067f0b74403da99f831e7270374

SHA512
0693982c158f751fc57665bb61e981bc8a8cc3e6c51a136cdeb1d9e8207f18318b822cf59d3860fe00c1d0fe8d6a859e980b174b4ce078a08e51daeeedf6fc47

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
3.6MB

MD5
594227d79a46e66515ddeb2f9433eec8

SHA1
9171ddaa9d4e9ddfe606022be1d41ce74b97b9ae

SHA256
1ca4213d0f60d8f6c71a7827692a6dea4755f9e7b8481029092455574b0dcd5e

SHA512
a472dc00ddd175a3932e77bab790de2ea61d0195f559b7ee9c79f4d4b532f590ec280e80abc9ec9ae0cb224f6e49223d0294c1520f90e815d7e1b06e06f86714

Download Submit
C:\VidYJ\bodaec.exe

Filesize
3.6MB

MD5
dd43bcf7f56f2dc0101684cb2204b8e2

SHA1
918b3d32447658c91fe275a67e71ee6e22c6b1a9

SHA256
8241b0380d050fc0b85a02db4b5c35ac0f951eb5a1f85725fe5f46251603d758

SHA512
62e1e6b3e21affa6a1b40f3016977581ea6995faae4113b54d0059db9e99800f80d0cb40a83217e4ef24d014c863dd1dbcd267a35bb0f024013794067433ffb5

Download Submit
C:\VidYJ\bodaec.exe

Filesize
3.6MB

MD5
39f34824d127cbb9ee777a0b436c8247

SHA1
8bcd00ab01da6bab3f3869ee40e3804371bd41df

SHA256
b2f9ddb5995934a9942d7e00f828761aaf5d40b71b79001e69088bffb05b35bc

SHA512
b85bab082ce8d56ee3e2ab76ff190e6682acb1486f47fd69fc3996ae59b9e58dc7350ae878e60e8ee9980229c3f810755b69460ab4632f0988db0949d3525c57

Download Submit