122206905a59e09641f7da160b560adeb1dba86878af315b65de07fae12b8331

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe
Size

4.0MB
MD5

72fd6e866a4b053c05123393dd6fcae0
SHA1

c914dd795c00507039d5e7527e893c8008d0c0d3
SHA256

122206905a59e09641f7da160b560adeb1dba86878af315b65de07fae12b8331
SHA512

3fdaed3acf28795f0fe80b5af203dde3b375596a292d6e1161d1313a3aaedc80fcc4a99e35a392ae1116294b1eee63be41aba2fe9b558df66e62b7d1b25d61dd
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpQbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe

Executes dropped EXE 2 IoCs

pid	Process
3324	sysxdob.exe
3356	devoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc3R\\devoptisys.exe"	72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintB6\\optidevloc.exe"	72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1520	72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe
1520	72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe
1520	72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe
1520	72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe
3324	sysxdob.exe
3324	sysxdob.exe
3356	devoptisys.exe
3356	devoptisys.exe
3324	sysxdob.exe
3324	sysxdob.exe
3356	devoptisys.exe
3356	devoptisys.exe
3324	sysxdob.exe
3324	sysxdob.exe
3356	devoptisys.exe
3356	devoptisys.exe
3324	sysxdob.exe
3324	sysxdob.exe
3356	devoptisys.exe
3356	devoptisys.exe
3324	sysxdob.exe
3324	sysxdob.exe
3356	devoptisys.exe
3356	devoptisys.exe
3324	sysxdob.exe
3324	sysxdob.exe
3356	devoptisys.exe
3356	devoptisys.exe
3324	sysxdob.exe
3324	sysxdob.exe
3356	devoptisys.exe
3356	devoptisys.exe
3324	sysxdob.exe
3324	sysxdob.exe
3356	devoptisys.exe
3356	devoptisys.exe
3324	sysxdob.exe
3324	sysxdob.exe
3356	devoptisys.exe
3356	devoptisys.exe
3324	sysxdob.exe
3324	sysxdob.exe
3356	devoptisys.exe
3356	devoptisys.exe
3324	sysxdob.exe
3324	sysxdob.exe
3356	devoptisys.exe
3356	devoptisys.exe
3324	sysxdob.exe
3324	sysxdob.exe
3356	devoptisys.exe
3356	devoptisys.exe
3324	sysxdob.exe
3324	sysxdob.exe
3356	devoptisys.exe
3356	devoptisys.exe
3324	sysxdob.exe
3324	sysxdob.exe
3356	devoptisys.exe
3356	devoptisys.exe
3324	sysxdob.exe
3324	sysxdob.exe
3356	devoptisys.exe
3356	devoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 3324	1520	72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe	94
PID 1520 wrote to memory of 3324	1520	72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe	94
PID 1520 wrote to memory of 3324	1520	72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe	94
PID 1520 wrote to memory of 3356	1520	72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe	95
PID 1520 wrote to memory of 3356	1520	72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe	95
PID 1520 wrote to memory of 3356	1520	72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe	95

C:\Users\Admin\AppData\Local\Temp\72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3324
- C:\Intelproc3R\devoptisys.exe
  C:\Intelproc3R\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc3R\devoptisys.exe

Filesize
4.0MB

MD5
b199733b4aa5b07f0d1b8ac9d0bd540c

SHA1
103bffc31834e2c0964c9d583c01c12f3e2f8230

SHA256
797bee3c30b5624e44eb9c89ebefaa79243eddd302d114284a321022434b2414

SHA512
80788892ca233a4e0165f2ef816f6de49c9903768f84475bd94b725d4f0029153d9443861d6b59e9bd84b9793fd947f21046a42d013d9e00879a367723a62e94

Download Submit
C:\MintB6\optidevloc.exe

Filesize
3.6MB

MD5
7b53db4ef28b2fa4e4becbb6fe98e0cb

SHA1
6225a9c8acf89c59356cf09948cf6f2d63d69255

SHA256
5708fe7d248e196a335863491c878b2e2db356264e8ab45a6f8cf33ebb9d7c04

SHA512
17061c379ebcc025640479833a4ee95993e7da1f1c3d1eecea71c5f7fbdc0538dd31967963c5b5c7294db42682321e6ef03f16660b9c0725d50b57f7c4152e67

Download Submit
C:\MintB6\optidevloc.exe

Filesize
15KB

MD5
baebd565738a73b1785d23f85b9b1880

SHA1
3e776227196d9cbee3a9edf120876f20e6af105e

SHA256
d451bfb56a9629b7c961f22f94e615ae1d66d53c909dab9ab26f8c2232159dd7

SHA512
3bc0de8b170643c38e93f2b6c116204a135a96435b5202c60c580af12b14787eda2041a92b0dfede92dceb5ad1f7dd232671d472556ccdd7bae26dd1918902a0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
210B

MD5
83fc7a7daaa11a50ee4670baa53174a3

SHA1
2861176bd8d80e90c5057c17c1cecdad28ba0fc2

SHA256
052cfade5e7f3b8b400473938f9b3fbb0b89dbe5a083d8dd7880f1670e89981c

SHA512
8a3250ba56d752ff20c68f9e322e55fca381497a65da4a10a80b9ab1c45e7da4ca1c54580d203a5efdb9b0cce571ef8245a0eb3b66f37d45b836485f38a3fe5c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
178B

MD5
deb663d9c10d1e7abe967e1b10604db7

SHA1
5d7060f90d7435b7cb4b12c9dc63c64b65a6ac83

SHA256
cccfae9373c0ab8ed50535e32b869da70cc8c005664d5ea59491a3470ab8d2bb

SHA512
eb2588fd35e778cd0739369c2653fc5158627f119636c887f5aed23425ff4da0032493a466a338e084bd1ecd390eb5e1c9620f22d57ff504b451769c1bd8e05e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
4.0MB

MD5
e5f888ea99b11d68f92a6dbec2050db4

SHA1
261fc972a2b7d1608fc038722359435c3adec996

SHA256
afd8c650b360fd65f6ebc0803c2c9cae4478027aaea3fd98477d7d9d2428a28f

SHA512
0a33d817e399f9462f888752a2de95c7187fb1b8d0aa1829c1ee9a2c1e57d70e4c8b1ce270be1f777c2866f5fbcb46118919b967c81aae806680ae1c132865ee

Download Submit