0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46_NeikiAnalytics.exe
Size

4.0MB
MD5

19b0f5933d36b1ec4287680a90985ae0
SHA1

c7d2f9a9cf7888f2c63878096ee8ac3366a10608
SHA256

0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46
SHA512

55ef093b7457ae30d44c0e8ab256daf5904574518517edeb4d5cce3914eede5b8a9af2605fdb3724b270275b3e439f2e92d3f7b0d5c5b0fd828a54ed8d14d9a7
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpibVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2140	ecdevdob.exe
2628	xoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2976	0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46_NeikiAnalytics.exe
2976	0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocTE\\xoptiec.exe"	0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidYI\\dobdevloc.exe"	0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2976	0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46_NeikiAnalytics.exe
2976	0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46_NeikiAnalytics.exe
2140	ecdevdob.exe
2628	xoptiec.exe
2140	ecdevdob.exe
2628	xoptiec.exe
2140	ecdevdob.exe
2628	xoptiec.exe
2140	ecdevdob.exe
2628	xoptiec.exe
2140	ecdevdob.exe
2628	xoptiec.exe
2140	ecdevdob.exe
2628	xoptiec.exe
2140	ecdevdob.exe
2628	xoptiec.exe
2140	ecdevdob.exe
2628	xoptiec.exe
2140	ecdevdob.exe
2628	xoptiec.exe
2140	ecdevdob.exe
2628	xoptiec.exe
2140	ecdevdob.exe
2628	xoptiec.exe
2140	ecdevdob.exe
2628	xoptiec.exe
2140	ecdevdob.exe
2628	xoptiec.exe
2140	ecdevdob.exe
2628	xoptiec.exe
2140	ecdevdob.exe
2628	xoptiec.exe
2140	ecdevdob.exe
2628	xoptiec.exe
2140	ecdevdob.exe
2628	xoptiec.exe
2140	ecdevdob.exe
2628	xoptiec.exe
2140	ecdevdob.exe
2628	xoptiec.exe
2140	ecdevdob.exe
2628	xoptiec.exe
2140	ecdevdob.exe
2628	xoptiec.exe
2140	ecdevdob.exe
2628	xoptiec.exe
2140	ecdevdob.exe
2628	xoptiec.exe
2140	ecdevdob.exe
2628	xoptiec.exe
2140	ecdevdob.exe
2628	xoptiec.exe
2140	ecdevdob.exe
2628	xoptiec.exe
2140	ecdevdob.exe
2628	xoptiec.exe
2140	ecdevdob.exe
2628	xoptiec.exe
2140	ecdevdob.exe
2628	xoptiec.exe
2140	ecdevdob.exe
2628	xoptiec.exe
2140	ecdevdob.exe
2628	xoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2140	2976	0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46_NeikiAnalytics.exe	28
PID 2976 wrote to memory of 2140	2976	0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46_NeikiAnalytics.exe	28
PID 2976 wrote to memory of 2140	2976	0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46_NeikiAnalytics.exe	28
PID 2976 wrote to memory of 2140	2976	0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46_NeikiAnalytics.exe	28
PID 2976 wrote to memory of 2628	2976	0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46_NeikiAnalytics.exe	29
PID 2976 wrote to memory of 2628	2976	0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46_NeikiAnalytics.exe	29
PID 2976 wrote to memory of 2628	2976	0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46_NeikiAnalytics.exe	29
PID 2976 wrote to memory of 2628	2976	0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2140
- C:\IntelprocTE\xoptiec.exe
  C:\IntelprocTE\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocTE\xoptiec.exe

Filesize
4.0MB

MD5
b148e381e0eb64cf7a223784a6bbc5cb

SHA1
b2d7631b49f2fd7ca008cba56436b500237fb30c

SHA256
8b257ff6967b10c7066ed2a5cc884e1fae1b30ff83fdec579e4475fee6a687cf

SHA512
94697a9fabba2e8796b5b81bd1679eea4841ee4106294a28f97bc80670154be8a409385548ad5f4760f6684f72eb8b58ec91069763538f6b9c83b269a0116131

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
fa5a3297b67f0673146da882ddf97293

SHA1
f756b1099f1549d33dd0e474bdbd2cd91c5cd878

SHA256
6def8e90a1b0d87848204663d658d839c5fdc4f59691f65c2dbadefb3281d338

SHA512
67e7f3a43665ce98ff1f9096a8011249808d1f1c120807c348ccf40439cb6573b3c098f93318ffccbfcdaa28ddd557db6a4c29270e9661eb488df493590a49c1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
423ac6daf35382e50cffac0d4f35aabf

SHA1
6a87f195fa5f1c5355ffac48bd5a4524823db5c6

SHA256
a0f17f3e8dd3ed708028cbd76c0624b1893bcc4a10ef025036877b5edf318492

SHA512
43e46761c81cde2513c876a12da1a0979b8a678ec5b1a978b4904605a6bea6664892e8b08fceead4bfb8f7e42931a5236586a4858517e89a54596060f8f3e206

Download Submit
C:\VidYI\dobdevloc.exe

Filesize
4.0MB

MD5
f61784426bafda06b8e9eeb4365b96b5

SHA1
30f46b9d583b69513b7918403e68694f8cf53d3e

SHA256
67a3576c041d8c392a60234c65c7aaf67f218e46133910cee3f804a476a690ce

SHA512
36cdf985b412fa8e5a344e81b4cf375fcd7e8a0b50656d6ef84dbeea39ab16361ac9b46fd91b0631f8006cc5fbde130029e830afdb005ed251f505c3d820c167

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
4.0MB

MD5
a5207d9d4db1b0137c7e73b2e1ad8124

SHA1
d75009e3f9f1e3e6298eac22220039846f5693cc

SHA256
e707e275ce0a2a01b4a92546088abdd2b84e32b19d7755ff52c18f0be34fd62f

SHA512
2694bfae623cf5db25738e1f0442bf6511e6497b0839cc3d28755650ec593a3e7356c90739fd89eebfc7ec867a731c9810080707a9fe3aafcc6f822048c504df

Download Submit