0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46_NeikiAnalytics.exe
Size

4.0MB
MD5

19b0f5933d36b1ec4287680a90985ae0
SHA1

c7d2f9a9cf7888f2c63878096ee8ac3366a10608
SHA256

0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46
SHA512

55ef093b7457ae30d44c0e8ab256daf5904574518517edeb4d5cce3914eede5b8a9af2605fdb3724b270275b3e439f2e92d3f7b0d5c5b0fd828a54ed8d14d9a7
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpibVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe	0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1408	ecadob.exe
1064	devoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe70\\devoptisys.exe"	0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidIX\\bodxloc.exe"	0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1940	0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46_NeikiAnalytics.exe
1940	0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46_NeikiAnalytics.exe
1940	0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46_NeikiAnalytics.exe
1940	0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46_NeikiAnalytics.exe
1408	ecadob.exe
1408	ecadob.exe
1064	devoptisys.exe
1064	devoptisys.exe
1408	ecadob.exe
1408	ecadob.exe
1064	devoptisys.exe
1064	devoptisys.exe
1408	ecadob.exe
1408	ecadob.exe
1064	devoptisys.exe
1064	devoptisys.exe
1408	ecadob.exe
1408	ecadob.exe
1064	devoptisys.exe
1064	devoptisys.exe
1408	ecadob.exe
1408	ecadob.exe
1064	devoptisys.exe
1064	devoptisys.exe
1408	ecadob.exe
1408	ecadob.exe
1064	devoptisys.exe
1064	devoptisys.exe
1408	ecadob.exe
1408	ecadob.exe
1064	devoptisys.exe
1064	devoptisys.exe
1408	ecadob.exe
1408	ecadob.exe
1064	devoptisys.exe
1064	devoptisys.exe
1408	ecadob.exe
1408	ecadob.exe
1064	devoptisys.exe
1064	devoptisys.exe
1408	ecadob.exe
1408	ecadob.exe
1064	devoptisys.exe
1064	devoptisys.exe
1408	ecadob.exe
1408	ecadob.exe
1064	devoptisys.exe
1064	devoptisys.exe
1408	ecadob.exe
1408	ecadob.exe
1064	devoptisys.exe
1064	devoptisys.exe
1408	ecadob.exe
1408	ecadob.exe
1064	devoptisys.exe
1064	devoptisys.exe
1408	ecadob.exe
1408	ecadob.exe
1064	devoptisys.exe
1064	devoptisys.exe
1408	ecadob.exe
1408	ecadob.exe
1064	devoptisys.exe
1064	devoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 1408	1940	0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46_NeikiAnalytics.exe	85
PID 1940 wrote to memory of 1408	1940	0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46_NeikiAnalytics.exe	85
PID 1940 wrote to memory of 1408	1940	0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46_NeikiAnalytics.exe	85
PID 1940 wrote to memory of 1064	1940	0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46_NeikiAnalytics.exe	86
PID 1940 wrote to memory of 1064	1940	0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46_NeikiAnalytics.exe	86
PID 1940 wrote to memory of 1064	1940	0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46_NeikiAnalytics.exe	86

C:\Users\Admin\AppData\Local\Temp\0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0393967f332da6dc29254ac1fdec840c7f99ec0ed9c425ede0e40ff510142f46_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1408
- C:\Adobe70\devoptisys.exe
  C:\Adobe70\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe70\devoptisys.exe

Filesize
4.0MB

MD5
11d4dbed018471073f5efde32107e538

SHA1
93f0092188fc86095728a7a97d9cb3bba4550f59

SHA256
fa014b53617168ce8e4ba49c21956b6f7be3dbe758b2e59ff22155ff663e9e0c

SHA512
21ed9f9185cfdabe945eee1e163484dd022adedcbc308746fda31ca96ff56d6d3fc306e853b695d52d55f2e03231a09fa783abbf910c92bf258705b4047766e2

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
80cd28b1d62cae8219cf565e4b014801

SHA1
41cde82d9d0f5be8c7aa479a34d0d7bbafb4b899

SHA256
9a8be283a3fbeebe110d6f106e80641fc5461856832f3ef049132b7275263729

SHA512
a997d01eb26359e3f1dfdf411eaf3514fe529e972812615ca0f8a23e77d4a7a7b84bb10099fde4e1e55553283a81fc2c8186486191ff137d1fd04f6b5ed426f0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
107327117697d4166fcd94c56fcf0bd2

SHA1
2c2a654e25bb176a2bfc73e4100a2ef6aa90b709

SHA256
4acfa5ec67a478892093745807b8d7eea70ee754aea5268aeca6e45200c96554

SHA512
9a1fb4cdc574c311b071c97f13bad882ee205c97019cb967d2a104a162b16787ce73d03e11dc885602a79450207b7989d901d3018fac2d14e81b8045e5b5ffdd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

Filesize
4.0MB

MD5
fe1aae73363f2a535456a8227c6ccedf

SHA1
6b91aabb9a7bd80198ebd75491587e8dacdb44ae

SHA256
f25b8b6645fb3df1136307b069036094d517c4c5be6d4c6569467bfb68c60cc0

SHA512
2ac76332b570a863a85a8c2c299359f666590befb7f52d3575e4789917e40820ff60d7962a783638d86c60286aaafd955d1235dde069146eedd1569de1448a98

Download Submit
C:\VidIX\bodxloc.exe

Filesize
385KB

MD5
544c698eb838654e323b96f47dd0af06

SHA1
ab43da8e500511919e2c225dc921fcb4f264fed0

SHA256
06be337bd6d3fbfb285a3e49d272f0c85b885cb4009b8000aac79294baf23c30

SHA512
462d564640f5c287be3fce2e1915f87426d0d856aaa972998c25176f9241fb6fbe66093c73f7add1c0988152e8a26ac97951375745a9d76c502a19c833db8c7a

Download Submit
C:\VidIX\bodxloc.exe

Filesize
4.0MB

MD5
ae8eb1e32f5caa85382c081522a856ff

SHA1
a512b3268049f4e1eaa7eb05eb5bb6b239bf46c8

SHA256
66faf32cc9fedd0631402a21ba879bfd87d68fd96c68909aa4ef88915b3ac20c

SHA512
39084eac3dde12f375c4d277ebf4f7f16c2c88f95b45cfdd3f1f2231fb353372a44f3833049fe2e4c50bfc160cf3201e061ebaf1b1f3caed9ce537d38432061f

Download Submit