f6835a64ad16b132838d6d01ae750aef33b5bebdf2d5a19265fa5347e1153609

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-05-2024 23:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

579e2f65cf33f76a1b355d21aa8147ff_NeikiAnalytics.exe
Size

3.9MB
MD5

579e2f65cf33f76a1b355d21aa8147ff
SHA1

ab4fd4314a2ccdd74fb3f05e37c0fa61bcf13081
SHA256

f6835a64ad16b132838d6d01ae750aef33b5bebdf2d5a19265fa5347e1153609
SHA512

9febf2abf1947f1c1691eb0eca3061132f25601e407c3d11fa7b5ea3c951831c95be167bd6acbc9fea7cc24fc00f2338f71fb78b94b2e7af6f921ccb9242c185
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB4B/bSqz8:sxX7QnxrloE5dpUpvbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	579e2f65cf33f76a1b355d21aa8147ff_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1840	locdevopti.exe
2568	devdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2208	579e2f65cf33f76a1b355d21aa8147ff_NeikiAnalytics.exe
2208	579e2f65cf33f76a1b355d21aa8147ff_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvC4\\devdobsys.exe"	579e2f65cf33f76a1b355d21aa8147ff_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidSZ\\boddevec.exe"	579e2f65cf33f76a1b355d21aa8147ff_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2208	579e2f65cf33f76a1b355d21aa8147ff_NeikiAnalytics.exe
2208	579e2f65cf33f76a1b355d21aa8147ff_NeikiAnalytics.exe
1840	locdevopti.exe
2568	devdobsys.exe
1840	locdevopti.exe
2568	devdobsys.exe
1840	locdevopti.exe
2568	devdobsys.exe
1840	locdevopti.exe
2568	devdobsys.exe
1840	locdevopti.exe
2568	devdobsys.exe
1840	locdevopti.exe
2568	devdobsys.exe
1840	locdevopti.exe
2568	devdobsys.exe
1840	locdevopti.exe
2568	devdobsys.exe
1840	locdevopti.exe
2568	devdobsys.exe
1840	locdevopti.exe
2568	devdobsys.exe
1840	locdevopti.exe
2568	devdobsys.exe
1840	locdevopti.exe
2568	devdobsys.exe
1840	locdevopti.exe
2568	devdobsys.exe
1840	locdevopti.exe
2568	devdobsys.exe
1840	locdevopti.exe
2568	devdobsys.exe
1840	locdevopti.exe
2568	devdobsys.exe
1840	locdevopti.exe
2568	devdobsys.exe
1840	locdevopti.exe
2568	devdobsys.exe
1840	locdevopti.exe
2568	devdobsys.exe
1840	locdevopti.exe
2568	devdobsys.exe
1840	locdevopti.exe
2568	devdobsys.exe
1840	locdevopti.exe
2568	devdobsys.exe
1840	locdevopti.exe
2568	devdobsys.exe
1840	locdevopti.exe
2568	devdobsys.exe
1840	locdevopti.exe
2568	devdobsys.exe
1840	locdevopti.exe
2568	devdobsys.exe
1840	locdevopti.exe
2568	devdobsys.exe
1840	locdevopti.exe
2568	devdobsys.exe
1840	locdevopti.exe
2568	devdobsys.exe
1840	locdevopti.exe
2568	devdobsys.exe
1840	locdevopti.exe
2568	devdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 1840	2208	579e2f65cf33f76a1b355d21aa8147ff_NeikiAnalytics.exe	28
PID 2208 wrote to memory of 1840	2208	579e2f65cf33f76a1b355d21aa8147ff_NeikiAnalytics.exe	28
PID 2208 wrote to memory of 1840	2208	579e2f65cf33f76a1b355d21aa8147ff_NeikiAnalytics.exe	28
PID 2208 wrote to memory of 1840	2208	579e2f65cf33f76a1b355d21aa8147ff_NeikiAnalytics.exe	28
PID 2208 wrote to memory of 2568	2208	579e2f65cf33f76a1b355d21aa8147ff_NeikiAnalytics.exe	29
PID 2208 wrote to memory of 2568	2208	579e2f65cf33f76a1b355d21aa8147ff_NeikiAnalytics.exe	29
PID 2208 wrote to memory of 2568	2208	579e2f65cf33f76a1b355d21aa8147ff_NeikiAnalytics.exe	29
PID 2208 wrote to memory of 2568	2208	579e2f65cf33f76a1b355d21aa8147ff_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\579e2f65cf33f76a1b355d21aa8147ff_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\579e2f65cf33f76a1b355d21aa8147ff_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1840
- C:\SysDrvC4\devdobsys.exe
  C:\SysDrvC4\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrvC4\devdobsys.exe

Filesize
3.9MB

MD5
1d399c6ff4618722ab27a3dd9f5d8da3

SHA1
f3829aa2af43dee5ac379e37547e8ddc690a57a1

SHA256
d583d3e4504996b71ee9c50281deaefed941451e631eefe5febf9d7baf1e0bbc

SHA512
d411c6172463f674ba84cbe2a580f1cdef001241163b1d12afd46bc4e7a84ceb21a028dd0d30c0d1477e74d1e7df2540e3793be817e957f42e7ebecf67f6cd31

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
14400636b6f0ac2f7d15169bfaefba22

SHA1
a3bcc2e5ba3d6d23bcd00dd2103113bc433744ee

SHA256
08e851ecf6a0c4df8ea208c05bca6b4cadc1bcc7ae24010ab2a0adfc41284133

SHA512
5f05492dd15d96b14df12b2c1a07fabb7330624b2602bf32500225acc17e101ce50833dad77b284f1bb8031098c346a340026f0e69cb3eb2ac5fe4febd005193

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
f7eab8ac7c3148ae961a42be7cbd7a45

SHA1
8653684911dd4bf8a944b820ac6abe8e84e9a7e0

SHA256
651950a534d247ee82a5c566ffce3dcd2d1f31ac5bc12fd7e43230a1686fb3ce

SHA512
d72d142299666e4089f7f4f1e585c7f5aed1101ae9beb49ca7d88c57121bb91f6e7f32300a07696272ae863800f40d11e6730ee2c31649ca77e1e4318ac7b947

Download Submit
C:\VidSZ\boddevec.exe

Filesize
3.9MB

MD5
3693b505a19866194f9ac08c5e814f81

SHA1
56128c296de91dbe5f550278595c65b0a10d85a7

SHA256
1b49a90dd1fcfd4fe8fe18c01e02dbc46f661cbc3079f44308427133ec6c14d8

SHA512
d2afb1fcf00989f17607cf81f885574f8ffcb3dd9e2f32a767e7491ad68efbd7b617654cd8e70a161a58132aec2b6326ef5b1b8ceb3688b41156b4ebedc62273

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
3.9MB

MD5
c687b5403bce7f5a057699480d7cbbb5

SHA1
41b9971bad0b1dbee01e2ac91bc4e4393898cac7

SHA256
27ec4b76c79d5edecde0a7e5d3427f9b1e528f90f93ab4db3e73f03bdeaf445a

SHA512
736d54260bfaf414d2a40261c26098d398588b8960fce354593bf6a6fe872715c3180890d0dc1ff2433b2421dc61d2e64511a904b1bd0bc5109680fcce9a6c6c

Download Submit