10f1c6d91af5d7115b3a4778c641a4473fde255b6d0517b30d09f6d82cfb2eae

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c48f64491a7a7b87bf124877a63ed240_NeikiAnalytics.exe
Size

2.6MB
MD5

c48f64491a7a7b87bf124877a63ed240
SHA1

85aed40db6aaaf296c2be48290ccf135276a3ac5
SHA256

10f1c6d91af5d7115b3a4778c641a4473fde255b6d0517b30d09f6d82cfb2eae
SHA512

eb7f5c4e3f1124dbdade029e9d70f9a100c1d00a7fa29427377df41a574a7ea01dd28a5215e122741062aea60b22edcb80e4312c018a252f39826e2c8616a089
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bS:sxX7QnxrloE5dpUpDb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	c48f64491a7a7b87bf124877a63ed240_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2516	sysaopti.exe
2700	devdobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2168	c48f64491a7a7b87bf124877a63ed240_NeikiAnalytics.exe
2168	c48f64491a7a7b87bf124877a63ed240_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv83\\devdobloc.exe"	c48f64491a7a7b87bf124877a63ed240_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZQE\\optialoc.exe"	c48f64491a7a7b87bf124877a63ed240_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2168	c48f64491a7a7b87bf124877a63ed240_NeikiAnalytics.exe
2168	c48f64491a7a7b87bf124877a63ed240_NeikiAnalytics.exe
2516	sysaopti.exe
2700	devdobloc.exe
2516	sysaopti.exe
2700	devdobloc.exe
2516	sysaopti.exe
2700	devdobloc.exe
2516	sysaopti.exe
2700	devdobloc.exe
2516	sysaopti.exe
2700	devdobloc.exe
2516	sysaopti.exe
2700	devdobloc.exe
2516	sysaopti.exe
2700	devdobloc.exe
2516	sysaopti.exe
2700	devdobloc.exe
2516	sysaopti.exe
2700	devdobloc.exe
2516	sysaopti.exe
2700	devdobloc.exe
2516	sysaopti.exe
2700	devdobloc.exe
2516	sysaopti.exe
2700	devdobloc.exe
2516	sysaopti.exe
2700	devdobloc.exe
2516	sysaopti.exe
2700	devdobloc.exe
2516	sysaopti.exe
2700	devdobloc.exe
2516	sysaopti.exe
2700	devdobloc.exe
2516	sysaopti.exe
2700	devdobloc.exe
2516	sysaopti.exe
2700	devdobloc.exe
2516	sysaopti.exe
2700	devdobloc.exe
2516	sysaopti.exe
2700	devdobloc.exe
2516	sysaopti.exe
2700	devdobloc.exe
2516	sysaopti.exe
2700	devdobloc.exe
2516	sysaopti.exe
2700	devdobloc.exe
2516	sysaopti.exe
2700	devdobloc.exe
2516	sysaopti.exe
2700	devdobloc.exe
2516	sysaopti.exe
2700	devdobloc.exe
2516	sysaopti.exe
2700	devdobloc.exe
2516	sysaopti.exe
2700	devdobloc.exe
2516	sysaopti.exe
2700	devdobloc.exe
2516	sysaopti.exe
2700	devdobloc.exe
2516	sysaopti.exe
2700	devdobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2516	2168	c48f64491a7a7b87bf124877a63ed240_NeikiAnalytics.exe	28
PID 2168 wrote to memory of 2516	2168	c48f64491a7a7b87bf124877a63ed240_NeikiAnalytics.exe	28
PID 2168 wrote to memory of 2516	2168	c48f64491a7a7b87bf124877a63ed240_NeikiAnalytics.exe	28
PID 2168 wrote to memory of 2516	2168	c48f64491a7a7b87bf124877a63ed240_NeikiAnalytics.exe	28
PID 2168 wrote to memory of 2700	2168	c48f64491a7a7b87bf124877a63ed240_NeikiAnalytics.exe	29
PID 2168 wrote to memory of 2700	2168	c48f64491a7a7b87bf124877a63ed240_NeikiAnalytics.exe	29
PID 2168 wrote to memory of 2700	2168	c48f64491a7a7b87bf124877a63ed240_NeikiAnalytics.exe	29
PID 2168 wrote to memory of 2700	2168	c48f64491a7a7b87bf124877a63ed240_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\c48f64491a7a7b87bf124877a63ed240_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c48f64491a7a7b87bf124877a63ed240_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2516
- C:\SysDrv83\devdobloc.exe
  C:\SysDrv83\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZQE\optialoc.exe

Filesize
2.6MB

MD5
a5885f5e22ad1ccd091f42f38de7ba6e

SHA1
65b89f92c3397066fb83d7610be120cdb1647ddc

SHA256
7658a0623334c38ddcd316609875f03852c1f221c895467245c54c8e99447501

SHA512
67c0fc6036e59559a0eafedca22d0771937115b658a12fde6900b86731f529116994428f1db3950d3534d8f821d346fbd0494297d64007a0538409d9ad54cec0

Download Submit
C:\LabZQE\optialoc.exe

Filesize
75KB

MD5
ffdfa29fb667e32a6bf13191dc52e515

SHA1
98206372c29abb56e82d8a30bdf520474baf8d9e

SHA256
2bc238da3a40addac6cbda2995d3017b718c47c9e1a0c82d2f59cb5fe6a98118

SHA512
df60150d6555efe7bd0f236967007c449d11316bdde0c4da876b93cfb951f0fb829f5b8d2f6c1d583c9d3fff158376061f4ba44a9fd9be83518deb41ce467c5d

Download Submit
C:\SysDrv83\devdobloc.exe

Filesize
2.6MB

MD5
2ddbd5d20c5bc6de30e94b654732d405

SHA1
7c011b9f6ecb8fa26caf0d4c77568045b19e3a51

SHA256
cd1500125512ce478408e74f23013e5918d4dbba071e83c03492de0b1a5df53c

SHA512
30427f3a890ec53dc78e0738148f4a842c684d2bbfe3a79a8826653880927b0f72c042585e8bc59cb8a02ab077b16f7f7c5b2d93c9bd8d3072c0f290a145ebf2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
717b903d2de6e7a956b397f5cd576312

SHA1
d149daee82e2bd735887279e1cffebb2a1d3a108

SHA256
c204df167f92fcd85993cfb0102e65de19090d44bf8f4c811ca60f58df33261b

SHA512
cbcff9f3b2ecaeca6c1e2417e972efa1858b4a35866469608a890b60e0f2e9dac6438dbf25fc16cc6ee1fce8d0e8ec0022675b83ffa73c2f669a623f8d43622e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
140be81d9638ea909afbb4bafa808ca4

SHA1
4e244cf98c20564e9d2e25c03adad70e597f66e5

SHA256
a8374386246250475982febb507db69b3e25b5819309b7632ca81c9913ed920b

SHA512
24c28d70db64320fca2e5241f377689c86c0ddf53ff1d21c099002c0d1ad50007431ec2a2d0a316807b212598c0b36c516a044906055169d1c6d9696a1b03f91

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
2.6MB

MD5
d33807c52a16c826dee3c8964f4da4fb

SHA1
8e98c9bb95f881f77d8b6b76e7c694ef5da8fbe9

SHA256
0d8915324af74027398e4e3dc9babd84e3b59b211a6a51749649e67c76e72e7f

SHA512
b68f07c7751a9459ef8dda831081a8327e1a4a76f1f133b0d0daa21c2735d2b54b298b09e2ad1e32bfe1fbaf53ef13668369ee082ed2d2d95b0d2d478fe7526e

Download Submit