4a0e61ad2ffe83ad7a3b11c1494bd2d6d32722683c8a2e1e3c3124cef0345fd9

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-05-2024 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
Size

2.7MB
MD5

4bf9d4a406ee7925c69cf04c59bde3a0
SHA1

ba7ab049346779b379b26bc46a0b88300b0cb7f9
SHA256

4a0e61ad2ffe83ad7a3b11c1494bd2d6d32722683c8a2e1e3c3124cef0345fd9
SHA512

f1810ac60794486d5684d80e9d074f62a5c402f776a12bb7e992479304352cb95d4c92738dd89c05b69148307a216cd568112cfc14831b505b576e079fb2a8b1
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB09w4Sx:+R0pI/IQlUoMPdmpSpC4

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe
2972	devbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2316	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
2316	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvWJ\\devbodsys.exe"	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxWS\\dobxsys.exe"	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2140	ipconfig.exe
628	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2316	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
2316	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe
2972	devbodsys.exe
2316	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe
2972	devbodsys.exe
2316	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe
2972	devbodsys.exe
2316	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe
2972	devbodsys.exe
2316	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe
2972	devbodsys.exe
2316	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe
2972	devbodsys.exe
2316	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe
2972	devbodsys.exe
2316	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe
2972	devbodsys.exe
2316	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe
2972	devbodsys.exe
2316	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe
2972	devbodsys.exe
2316	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe
2972	devbodsys.exe
2316	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe
2972	devbodsys.exe
2316	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe
2972	devbodsys.exe
2316	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe
2972	devbodsys.exe
2316	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe
2972	devbodsys.exe
2316	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe
2972	devbodsys.exe
2316	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe
2972	devbodsys.exe
2316	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe
2972	devbodsys.exe
2316	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe
2972	devbodsys.exe
2316	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe
2972	devbodsys.exe
2316	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe
2972	devbodsys.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	628	NETSTAT.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2948	2316	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe	28
PID 2316 wrote to memory of 2948	2316	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe	28
PID 2316 wrote to memory of 2948	2316	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe	28
PID 2316 wrote to memory of 2948	2316	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe	28
PID 2316 wrote to memory of 2972	2316	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe	29
PID 2316 wrote to memory of 2972	2316	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe	29
PID 2316 wrote to memory of 2972	2316	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe	29
PID 2316 wrote to memory of 2972	2316	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe	29
PID 2948 wrote to memory of 1944	2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe	33
PID 2948 wrote to memory of 1944	2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe	33
PID 2948 wrote to memory of 1944	2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe	33
PID 2948 wrote to memory of 1944	2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe	33
PID 2948 wrote to memory of 2132	2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe	34
PID 2948 wrote to memory of 2132	2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe	34
PID 2948 wrote to memory of 2132	2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe	34
PID 2948 wrote to memory of 2132	2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe	34
PID 2948 wrote to memory of 1548	2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe	36
PID 2948 wrote to memory of 1548	2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe	36
PID 2948 wrote to memory of 1548	2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe	36
PID 2948 wrote to memory of 1548	2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe	36
PID 1944 wrote to memory of 2140	1944	cmd.exe	39
PID 1944 wrote to memory of 2140	1944	cmd.exe	39
PID 1944 wrote to memory of 2140	1944	cmd.exe	39
PID 1944 wrote to memory of 2140	1944	cmd.exe	39
PID 2132 wrote to memory of 628	2132	cmd.exe	40
PID 2132 wrote to memory of 628	2132	cmd.exe	40
PID 2132 wrote to memory of 628	2132	cmd.exe	40
PID 2132 wrote to memory of 628	2132	cmd.exe	40
PID 2948 wrote to memory of 1360	2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe	41
PID 2948 wrote to memory of 1360	2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe	41
PID 2948 wrote to memory of 1360	2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe	41
PID 2948 wrote to memory of 1360	2948	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe	41

C:\Users\Admin\AppData\Local\Temp\4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe
  C:\Users\Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig > C:\Users\Admin\ipconfig.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig
      4⤵
      Gathers network information
      PID:2140
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c netstat -a > C:\Users\Admin\netstat.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -a
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:628
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c dir C:\*.txt /b /s >> C:\Users\Admin\grubb.list
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c dir C:\*.doc /b /s >> C:\Users\Admin\grubb.list
    3⤵
    PID:1360
- C:\SysDrvWJ\devbodsys.exe
  C:\SysDrvWJ\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxWS\dobxsys.exe

Filesize
1.2MB

MD5
b79665224ebc4ce01e06d45c99abdff0

SHA1
3e34d0aca5fd82ab7b9ed2512f4fc879dddb0c61

SHA256
2712a4ebfcaa8e2b76e1411603a161455ebf26e374b82ab3879c717a3764b834

SHA512
b160c43a80520206a5bf3c174f5b9ffbc54df430501f025865daa934d2e9881a05ddd7a6cac54e2fafbe0787dc205874a28f82eeb473c4594c762278bf162ed3

Download Submit
C:\GalaxWS\dobxsys.exe

Filesize
2.7MB

MD5
7485b81d0dcd9718706b47e67bf4e1e9

SHA1
157ff8886d83dcc0d2acde59ae67c407c2c34495

SHA256
8f35aef0eb9e1391ad4832baa95869c48765ef3ccd426f19d6b786e94bb1ac5b

SHA512
2e492960363200af463b3b637068c553db181f1fd6eced63a9e9b6fa1baaa9c0a932d7191fb8d1065ed8c4d261bc1e381c234322fa952be6175b8b2f63048e6f

Download Submit
C:\SysDrvWJ\devbodsys.exe

Filesize
2.7MB

MD5
79d39102fd131c8400e444290258504f

SHA1
7ea722d5d4a12d20583d24a9bd22422527d0b92d

SHA256
d056e77cabbc70b402757a58839c3324af460d587c5ac767fcbff51f19cff8ad

SHA512
d95b65136adffd63b7a05662889be052a87cd5c187d7591bceccf1dfcd03ca62ddc144638f2101f647fb20b34afcce910358b4c5d1feb818d7be7fc2175bf77f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
5ef92de4979390ed1dc9954e53b19c75

SHA1
5333a0d3201c4c3e54d0d95fcc95c5ffe296cefc

SHA256
68e5b75c10ee7ca36f4182f79daad544380e4a2b73b1cc8c10882819306bedab

SHA512
a79557363665064944c364669f8a895fe2b0699c3038635cedb2f8980db019efe60d490ec28d8b0cde595a8ec19dfdd73258a2ffb27ff2817cd58d9248613897

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
3a74fa6820e391b614c41ac03ad5caa9

SHA1
2deac5665e371ce9a26dd56c962d34c2cd378810

SHA256
9fdc997daa26df16e9e89b50bea4e6e772ad3b3fe77823bd6325f887a2f34cb3

SHA512
aef572e584c12013044df1bb013e0742d9350b32e000527e807c65fa24b64b8c51267b0ae23a1773d115d749de7444c4fe12ffc40e00e439fcba481bf4598698

Download Submit
C:\Users\Admin\grubb.list

Filesize
262KB

MD5
fef87a5f8aeecae730df1f4d335bb254

SHA1
f13e1219ad219f3995af0726b141a5cbcdc9c7fa

SHA256
1a3ffdc3513ec6da5d2d745474048be0891a6d98fa8947b644b7f681f17bc490

SHA512
1e2b4e2b20d4703957c6e38a91d714d0b232cb3901531afe42a22ac88f097143b8469b4d8679326637e36791d4a158ae4fc7e071f6eda3c8f47093d70fc40e6a

Download Submit
\Users\Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxopti.exe

Filesize
2.7MB

MD5
4551b63e96745c8395f75aff15251696

SHA1
35f76962eaa63b5d92084de664c731de0bcd6dc2

SHA256
3631aecf5cc0bd2e39911adc94ca69fc648fa3ee0970d95d3d808f5c051b58ed

SHA512
aa50edc7662074095d91d86dfdc0be43f48451e7aacb2af2caab7f86e618da02174afcdaab1f7cb72f5321dac1a840ccedf25708cb051abf58aaea2901ce4e5b

Download Submit