a4da9413c667bb5da30cbd750e81712e4bdcddc702965e73988edb2c93808c59

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4da9413c667bb5da30cbd750e81712e4bdcddc702965e73988edb2c93808c59_NeikiAnalytics.exe
Size

4.1MB
MD5

19ae732d10cf23f2656aaf0e84bba240
SHA1

c0ca858bd21aac14fe3c07b04fb88cebee806600
SHA256

a4da9413c667bb5da30cbd750e81712e4bdcddc702965e73988edb2c93808c59
SHA512

36089869abd2c7c7cccfcf21f525c9416faebe6cec01ab49aafcea165c540db60d6f4565e367b64cc71af5db7dae88ec7c089d6ea203b67e7f8b6106cebbe440
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBZB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpGbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	a4da9413c667bb5da30cbd750e81712e4bdcddc702965e73988edb2c93808c59_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2128	ecxdob.exe
2608	devoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2780	a4da9413c667bb5da30cbd750e81712e4bdcddc702965e73988edb2c93808c59_NeikiAnalytics.exe
2780	a4da9413c667bb5da30cbd750e81712e4bdcddc702965e73988edb2c93808c59_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesRN\\devoptiloc.exe"	a4da9413c667bb5da30cbd750e81712e4bdcddc702965e73988edb2c93808c59_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidTI\\dobxloc.exe"	a4da9413c667bb5da30cbd750e81712e4bdcddc702965e73988edb2c93808c59_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2780	a4da9413c667bb5da30cbd750e81712e4bdcddc702965e73988edb2c93808c59_NeikiAnalytics.exe
2780	a4da9413c667bb5da30cbd750e81712e4bdcddc702965e73988edb2c93808c59_NeikiAnalytics.exe
2128	ecxdob.exe
2608	devoptiloc.exe
2128	ecxdob.exe
2128	ecxdob.exe
2608	devoptiloc.exe
2128	ecxdob.exe
2608	devoptiloc.exe
2128	ecxdob.exe
2608	devoptiloc.exe
2128	ecxdob.exe
2608	devoptiloc.exe
2128	ecxdob.exe
2608	devoptiloc.exe
2128	ecxdob.exe
2608	devoptiloc.exe
2128	ecxdob.exe
2608	devoptiloc.exe
2128	ecxdob.exe
2608	devoptiloc.exe
2128	ecxdob.exe
2608	devoptiloc.exe
2128	ecxdob.exe
2608	devoptiloc.exe
2128	ecxdob.exe
2608	devoptiloc.exe
2128	ecxdob.exe
2608	devoptiloc.exe
2128	ecxdob.exe
2608	devoptiloc.exe
2128	ecxdob.exe
2608	devoptiloc.exe
2128	ecxdob.exe
2608	devoptiloc.exe
2128	ecxdob.exe
2608	devoptiloc.exe
2128	ecxdob.exe
2608	devoptiloc.exe
2128	ecxdob.exe
2608	devoptiloc.exe
2128	ecxdob.exe
2608	devoptiloc.exe
2128	ecxdob.exe
2608	devoptiloc.exe
2128	ecxdob.exe
2608	devoptiloc.exe
2128	ecxdob.exe
2608	devoptiloc.exe
2128	ecxdob.exe
2608	devoptiloc.exe
2128	ecxdob.exe
2608	devoptiloc.exe
2128	ecxdob.exe
2608	devoptiloc.exe
2128	ecxdob.exe
2608	devoptiloc.exe
2128	ecxdob.exe
2608	devoptiloc.exe
2128	ecxdob.exe
2608	devoptiloc.exe
2128	ecxdob.exe
2608	devoptiloc.exe
2128	ecxdob.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2128	2780	a4da9413c667bb5da30cbd750e81712e4bdcddc702965e73988edb2c93808c59_NeikiAnalytics.exe	28
PID 2780 wrote to memory of 2128	2780	a4da9413c667bb5da30cbd750e81712e4bdcddc702965e73988edb2c93808c59_NeikiAnalytics.exe	28
PID 2780 wrote to memory of 2128	2780	a4da9413c667bb5da30cbd750e81712e4bdcddc702965e73988edb2c93808c59_NeikiAnalytics.exe	28
PID 2780 wrote to memory of 2128	2780	a4da9413c667bb5da30cbd750e81712e4bdcddc702965e73988edb2c93808c59_NeikiAnalytics.exe	28
PID 2780 wrote to memory of 2608	2780	a4da9413c667bb5da30cbd750e81712e4bdcddc702965e73988edb2c93808c59_NeikiAnalytics.exe	29
PID 2780 wrote to memory of 2608	2780	a4da9413c667bb5da30cbd750e81712e4bdcddc702965e73988edb2c93808c59_NeikiAnalytics.exe	29
PID 2780 wrote to memory of 2608	2780	a4da9413c667bb5da30cbd750e81712e4bdcddc702965e73988edb2c93808c59_NeikiAnalytics.exe	29
PID 2780 wrote to memory of 2608	2780	a4da9413c667bb5da30cbd750e81712e4bdcddc702965e73988edb2c93808c59_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\a4da9413c667bb5da30cbd750e81712e4bdcddc702965e73988edb2c93808c59_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a4da9413c667bb5da30cbd750e81712e4bdcddc702965e73988edb2c93808c59_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2128
- C:\FilesRN\devoptiloc.exe
  C:\FilesRN\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesRN\devoptiloc.exe

Filesize
4.1MB

MD5
7d850746e1d691fbe7e72d470caab0c8

SHA1
8cd367043c8741116709db10698faaf90d0b80dd

SHA256
206414651508c2d6112260ff567bd67bec68122d295e5e7f2ece54864b3ddf41

SHA512
7a573a7f54a95f4565c42117a920b08b8865ccb66c3a8b577880064a6b9e24e2cdbaac629cc161b5e2c1f1ff418c1ffe88978987ea7cf4a3589c924e1508d96e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
11447c66eebd7a30b90c4bdd487095c0

SHA1
8166894235473743f5a4eadbe8340a16b8d1b5cb

SHA256
0e4b6f847d50412e68b1050fd2c512456bb13f1a44887d88b8e914e1c7f165ce

SHA512
4d94198c1344ffe8273ea39c9f7ac37a6f8b7e1c5722206ffe03f2d2d8e25027bb2d7faf5dd38b30bab83a7bf693d56198313788822daceb4afe5c6d6866b935

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
0b5d16910e9fce96c3532a275cc64f48

SHA1
e2bb07b9049849434564fe349edacccbda4648c8

SHA256
2e02d6a536bb47dbf5ac0ac297cab315e0f60d1d3b2a9bfdf6c3c8e3c10df799

SHA512
434117dd0efcd6fbf40628669c0a5e0c3a311882e802ca0b949e672f815b674be990a464dbcf0ef195b839e946c5c29448dc636c0a83303e48c57149ef493e03

Download Submit
C:\VidTI\dobxloc.exe

Filesize
2.7MB

MD5
0abf2dc9394b2cb7736ddb4d4fe80f9e

SHA1
4d77bdb825695184b77d3bc43330e21ae46971ff

SHA256
bdec8dfb76447ace5cbab8ffd9b554216483a99c766d41be2e5751e23e895e06

SHA512
854c29708c7130be56151e34cc653a558672bd2ec501b496d6abffe9f6082d98586549314a2ad4a715cbbb894c834d4d2cf02db809914342ba98c3432a3f52a7

Download Submit
C:\VidTI\dobxloc.exe

Filesize
4.1MB

MD5
91dfb4c8c1b700b606880be497354949

SHA1
dc5456087feae66b3621855fa5458b7d26ad430b

SHA256
a723131aed4a40abae2a276c5fbbeafac220a324bdea24705bb6f3e4ddd7ef17

SHA512
2282cfa8f4e20db31c65cea85a421f02c6c9b74e941a768e9b0519c37fa019fc17313aae1fff8e94db5a715dfb62f89dffdc367fd765e7760c7b501eb74ac520

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
4.1MB

MD5
9cf0e9d7d2751f2941c81170fd6bdb3f

SHA1
3f1cf5580d0459c6e2e665ffd437237c42d5df88

SHA256
e77707fc85c4506805eafa707353979349255796de11a56d2ce66d3ca4d54df0

SHA512
6d16c20919e92e370138319a45db3102d043442e5ef9b4f800ad32cf09d864bea3455c12863c1d56151617f22cc5de9d8e6187cc3911bda87bff998ab7aaad5c

Download Submit