4a0e61ad2ffe83ad7a3b11c1494bd2d6d32722683c8a2e1e3c3124cef0345fd9

Analysis

max time kernel
150s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
Size

2.7MB
MD5

4bf9d4a406ee7925c69cf04c59bde3a0
SHA1

ba7ab049346779b379b26bc46a0b88300b0cb7f9
SHA256

4a0e61ad2ffe83ad7a3b11c1494bd2d6d32722683c8a2e1e3c3124cef0345fd9
SHA512

f1810ac60794486d5684d80e9d074f62a5c402f776a12bb7e992479304352cb95d4c92738dd89c05b69148307a216cd568112cfc14831b505b576e079fb2a8b1
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB09w4Sx:+R0pI/IQlUoMPdmpSpC4

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe

Executes dropped EXE 2 IoCs

pid	Process
1912	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe
1252	devoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZNS\\bodxec.exe"	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocLO\\devoptisys.exe"	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1284	ipconfig.exe
2404	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
212	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
212	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
212	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
212	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
1912	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe
1912	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe
1252	devoptisys.exe
1252	devoptisys.exe
212	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
212	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
1912	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe
1912	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe
1252	devoptisys.exe
1252	devoptisys.exe
212	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
212	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
1912	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe
1912	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe
1252	devoptisys.exe
1252	devoptisys.exe
212	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
212	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
1912	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe
1912	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe
1252	devoptisys.exe
1252	devoptisys.exe
212	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
212	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
1912	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe
1912	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe
1252	devoptisys.exe
1252	devoptisys.exe
212	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
212	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
1912	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe
1912	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe
1252	devoptisys.exe
1252	devoptisys.exe
212	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
212	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
1912	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe
1912	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe
1252	devoptisys.exe
1252	devoptisys.exe
212	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
212	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
1912	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe
1912	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe
1252	devoptisys.exe
1252	devoptisys.exe
212	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
212	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
1912	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe
1912	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe
1252	devoptisys.exe
1252	devoptisys.exe
212	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
212	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
1912	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe
1912	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe
1252	devoptisys.exe
1252	devoptisys.exe
212	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
212	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2404	NETSTAT.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 1912	212	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe	85
PID 212 wrote to memory of 1912	212	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe	85
PID 212 wrote to memory of 1912	212	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe	85
PID 212 wrote to memory of 1252	212	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe	86
PID 212 wrote to memory of 1252	212	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe	86
PID 212 wrote to memory of 1252	212	4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe	86
PID 1912 wrote to memory of 2612	1912	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe	91
PID 1912 wrote to memory of 2612	1912	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe	91
PID 1912 wrote to memory of 2612	1912	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe	91
PID 1912 wrote to memory of 2724	1912	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe	93
PID 1912 wrote to memory of 2724	1912	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe	93
PID 1912 wrote to memory of 2724	1912	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe	93
PID 1912 wrote to memory of 3084	1912	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe	94
PID 1912 wrote to memory of 3084	1912	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe	94
PID 1912 wrote to memory of 3084	1912	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe	94
PID 2612 wrote to memory of 1284	2612	cmd.exe	97
PID 2612 wrote to memory of 1284	2612	cmd.exe	97
PID 2612 wrote to memory of 1284	2612	cmd.exe	97
PID 2724 wrote to memory of 2404	2724	cmd.exe	98
PID 2724 wrote to memory of 2404	2724	cmd.exe	98
PID 2724 wrote to memory of 2404	2724	cmd.exe	98
PID 1912 wrote to memory of 2772	1912	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe	99
PID 1912 wrote to memory of 2772	1912	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe	99
PID 1912 wrote to memory of 2772	1912	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe	99

C:\Users\Admin\AppData\Local\Temp\4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4bf9d4a406ee7925c69cf04c59bde3a0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:212
- C:\Users\Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe
  C:\Users\Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig > C:\Users\Admin\ipconfig.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig
      4⤵
      Gathers network information
      PID:1284
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c netstat -a > C:\Users\Admin\netstat.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -a
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2404
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c dir C:\*.txt /b /s >> C:\Users\Admin\grubb.list
    3⤵
    PID:3084
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c dir C:\*.doc /b /s >> C:\Users\Admin\grubb.list
    3⤵
    PID:2772
- C:\IntelprocLO\devoptisys.exe
  C:\IntelprocLO\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocLO\devoptisys.exe

Filesize
2.7MB

MD5
3cdcfca369fee4771e3a48984c1a663a

SHA1
b277191ee9e02d8af4410462c7b01c0bd76c709a

SHA256
694baab37ffd6c443632745575efcc2890a5108f7d100bdbe05d86990fdc7669

SHA512
a2c1e6bcb7089ce64cd61eaf4c47ea360b56d47dede766590be2b665512def715f8c605cdd6d56db790e2ce420dacda97353f7bc96a73ad6f5927a1d461529a4

Download Submit
C:\LabZNS\bodxec.exe

Filesize
162KB

MD5
bf554a0744def9e6919685638e2eab73

SHA1
5178d3b21c956a53ebc5037bd90d0217b59c04bb

SHA256
1e7be7a17adce053b4b010f613bf1a930318dfe55d3fab42a1a66814e824e02e

SHA512
005c1f1b6940c0365f9a29d0ba37ba7f053772c838884a3944a45812740ab8c8dbc170a4b2fd04f7b95e28ca6f36a52452b00187e7f2718a564f9a4efd8b5eb2

Download Submit
C:\LabZNS\bodxec.exe

Filesize
2.7MB

MD5
c88f99fffb94c208e21644766dd2d4e7

SHA1
b70deb8eb6ad88924f554288226fd1e906334810

SHA256
6efc96fa77344e8e95c4e87eec57df1fb5d1f8cb7fb3780fee5d55f451173a3f

SHA512
bddea618319160d0d635d13cf38f06702dcf3e539cbf62db3ad2544cd6cb19e3d848094f2bb56da56fa4db41efa4866d8321c13da4c6397f23632f5d29871c8d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
75bc023b094e320a72c716b87925a120

SHA1
e63784adb865c7bfb7617ef9fd0e54ce964fee2a

SHA256
8a48e1a2e2ce15d1094d09ec498363051d0b4ab4b8d0ad64f7160f81e7ad62c7

SHA512
7c83c022931a24e40518bdd3c5b0c5fe2d891150f561d1009d33660419ddcb4f6ce9038f5c5ef26c44b4c1099fd1f17ce78d90fc0a2c85bdf68582dfc5fb8c13

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
94bec845920e0e1d5ea3a082429152ca

SHA1
918eaa9c856116c1c7a73af33857ac83ce73a436

SHA256
9520bea4ef781e6de37532fc1bc4b400b72fd80ef6091786bf931e0cc04511ea

SHA512
261bb659caf27e93bb243bb5020b7b720125aca5bec7a49322ad516a92dc2d61e02c3804515db274da75a2bcb43b8637df53e681452142f787fe6a9a2f27c719

Download Submit
C:\Users\Admin\grubb.list

Filesize
40KB

MD5
4d078bcd24b0b2ff40cf486bf9143e09

SHA1
9249baad8749f2e2ac58a202120981ad2483f670

SHA256
edaca178bb101d254d587ee95f188a766e28c8a9e0b79268bed0001bcd760ffe

SHA512
f0ae2e6ac116ee3a083d95fd4fa910c559aaa3b69957dbf5aa0ac4b0371e505a898bef04e14c94f2eee150f5981118ea6237f16bb3efeecc1cf22b8052848b4e

Download Submit
C:\Users\Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]sysxdob.exe

Filesize
2.7MB

MD5
2f0420680139f7149a787308cf1187f4

SHA1
268127dde77a8957a2c0e6bd3e656df272e6520c

SHA256
a3f3edea0e733c532d8b9185116350ebeda07f459ea2e6d53b08304b10cb437b

SHA512
17dc57d1f6f4d18ca321539c0831e96de8902ea8daf81622b06a437d7543b6aa30cb611349d3a8cf9b2c4bec86019ce61127704411d6f7e655f359e7c13e6f68

Download Submit