58003668c5097e85380da3d3155e672a25c29dadf5f37110c640137c7d2b4d85

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5668ba9a4990b618363ce7452b13c700_NEIKI.exe
Size

3.1MB
MD5

5668ba9a4990b618363ce7452b13c700
SHA1

35f004ac8c4330b1e3e8715f5ff9606368694065
SHA256

58003668c5097e85380da3d3155e672a25c29dadf5f37110c640137c7d2b4d85
SHA512

d74903722f20aaf12a6bf3a047cd61a34719b3fd0a2c857600da87eec37f71d0bd9d5fd1d87632230b80ae1589298a5cb6c8fed5916dfbea84bb9a4f17c58cfc
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bSqz8:sxX7QnxrloE5dpUpKbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	5668ba9a4990b618363ce7452b13c700_NEIKI.exe

Executes dropped EXE 2 IoCs

pid	Process
3208	sysdevopti.exe
3960	devoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZBQ\\optixec.exe"	5668ba9a4990b618363ce7452b13c700_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotQ5\\devoptiec.exe"	5668ba9a4990b618363ce7452b13c700_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3368	5668ba9a4990b618363ce7452b13c700_NEIKI.exe
3368	5668ba9a4990b618363ce7452b13c700_NEIKI.exe
3368	5668ba9a4990b618363ce7452b13c700_NEIKI.exe
3368	5668ba9a4990b618363ce7452b13c700_NEIKI.exe
3208	sysdevopti.exe
3208	sysdevopti.exe
3960	devoptiec.exe
3960	devoptiec.exe
3208	sysdevopti.exe
3208	sysdevopti.exe
3960	devoptiec.exe
3960	devoptiec.exe
3208	sysdevopti.exe
3208	sysdevopti.exe
3960	devoptiec.exe
3960	devoptiec.exe
3208	sysdevopti.exe
3208	sysdevopti.exe
3960	devoptiec.exe
3960	devoptiec.exe
3208	sysdevopti.exe
3208	sysdevopti.exe
3960	devoptiec.exe
3960	devoptiec.exe
3208	sysdevopti.exe
3208	sysdevopti.exe
3960	devoptiec.exe
3960	devoptiec.exe
3208	sysdevopti.exe
3208	sysdevopti.exe
3960	devoptiec.exe
3960	devoptiec.exe
3208	sysdevopti.exe
3208	sysdevopti.exe
3960	devoptiec.exe
3960	devoptiec.exe
3208	sysdevopti.exe
3208	sysdevopti.exe
3960	devoptiec.exe
3960	devoptiec.exe
3208	sysdevopti.exe
3208	sysdevopti.exe
3960	devoptiec.exe
3960	devoptiec.exe
3208	sysdevopti.exe
3208	sysdevopti.exe
3960	devoptiec.exe
3960	devoptiec.exe
3208	sysdevopti.exe
3208	sysdevopti.exe
3960	devoptiec.exe
3960	devoptiec.exe
3208	sysdevopti.exe
3208	sysdevopti.exe
3960	devoptiec.exe
3960	devoptiec.exe
3208	sysdevopti.exe
3208	sysdevopti.exe
3960	devoptiec.exe
3960	devoptiec.exe
3208	sysdevopti.exe
3208	sysdevopti.exe
3960	devoptiec.exe
3960	devoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 3208	3368	5668ba9a4990b618363ce7452b13c700_NEIKI.exe	86
PID 3368 wrote to memory of 3208	3368	5668ba9a4990b618363ce7452b13c700_NEIKI.exe	86
PID 3368 wrote to memory of 3208	3368	5668ba9a4990b618363ce7452b13c700_NEIKI.exe	86
PID 3368 wrote to memory of 3960	3368	5668ba9a4990b618363ce7452b13c700_NEIKI.exe	90
PID 3368 wrote to memory of 3960	3368	5668ba9a4990b618363ce7452b13c700_NEIKI.exe	90
PID 3368 wrote to memory of 3960	3368	5668ba9a4990b618363ce7452b13c700_NEIKI.exe	90

C:\Users\Admin\AppData\Local\Temp\5668ba9a4990b618363ce7452b13c700_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\5668ba9a4990b618363ce7452b13c700_NEIKI.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3208
- C:\UserDotQ5\devoptiec.exe
  C:\UserDotQ5\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZBQ\optixec.exe

Filesize
3.1MB

MD5
b4bca3dd4aad253f17be29d93719df9b

SHA1
a882a75533abc511ffdb1e0a42dc463a51089994

SHA256
7b372b7acf9608de3d7f429d5d769cce3e779ef6fe67ef2d9d5049bf64fbb085

SHA512
cf32d2c9b49aaa2c2e0723662d5c5ddba10b2638ad3aa9ab53363896d36a821b10638e092bad43cdef9cd3f154ee8d83e313120d9d85b2bb872c37872b5f4d3a

Download Submit
C:\UserDotQ5\devoptiec.exe

Filesize
3.1MB

MD5
5483073745e1cdcf3015048e7010dbfc

SHA1
9d984b319bf3272754a012420d405115193e79e7

SHA256
4035c648931b05342ec14a18eb84ed60d024a111a023b3952bd09e9ef7b3ce05

SHA512
367ba022ff2457605a403843628c3359ec1076c4970d8cda68e3ac8f4e5c5e2c982c8fdb99d19a7336b95cd6b34fab0a3e720f90af3a3089a86e91d43b06ff13

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
73a3e73c5c57eb2a7aba99bdcd05a5be

SHA1
0f496ade630f8e5e7b37224944425b84028db237

SHA256
fb83c0b91eb9a26f9af3ebad9a97d8af96dbe03eebf0f26df7d2567e4f79e3c1

SHA512
c19679afe7c9f510769019b4f8c732c74d83709cfcb7bb0e0441264cd2824ce603c49c42182c3ab4446c5927bb44d5b888310377a2a696d8a569201fe3d2c040

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
175B

MD5
4807a91dddd788ed2fb08700a6e66c2b

SHA1
5b41b3dd1e0313aa0d0253c0f5cff5314085ac94

SHA256
3392f2f698d10b9025fc289be86a2efa1dcc4738cdde37f5184a403e9ca84435

SHA512
45d44038bbffa08a7e644cfc3d899412e98634b21182dc3dbbe414c27f138f979eec79fb6858eb527adec3027f9f73b15d99a4fcacfba391cd7698380eb44295

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
2.1MB

MD5
adaa8e0726d880fc347d63182f759017

SHA1
119dc0ad35ddf9ae8c5d73896311bd6a2ff34029

SHA256
072a7b4e9fd98ee649ebd559b79663fc7431d48ac9c57138b04147ea508a8a1e

SHA512
ada0c33a44aede85cbde71de9525e692154d955c0f4b4d4e137a9164a4726ac2a043254b1b4e6617a97567f47498c7388d5b4202a35f8328112645e37349c616

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
1.8MB

MD5
5f56cd14a7959bb3ef7c4ba2068597b0

SHA1
940f6e5f63b389a331d1c601710fbc8630743852

SHA256
afa755b16d2c49b41651d22a1aac301992bcb690b0c6fde777fb7ff7d5e5b580

SHA512
1c82509c99fb08cccf54fbd17787a7e3ff49b848af0d052cabeb64ea6ba3d22aaad3cac701200773fb6e2965622926b70a6ddb6e07f7bf34c2d04b6b905d1fdb

Download Submit